General Data Protection Regulation (GDPR) is a comprehensive privacy law created by the European Union (EU) which harmonizes data protection laws across the EU states and reinforces the protection of personal data for EU individuals conducting business all over the globe.
Our customers’ data security and data privacy are of utmost importance to us. We have taken the necessary steps, working with cross functional internal teams, vendors and external counsel, to comply with the requirements of the GDPR. Here’s how we did it:
Employee training and awareness is key to dealing with major changes in the regulatory landscape. In order to ensure all our employees are aware of the applicable GDPR guidelines and requirements, we have established an employee training program. General awareness training of GDPR requirements has been provided to all current employees and will be mandatory for all future hires. Specialized role and region-based training is also provided to ensure our employees have the appropriate knowledge and understanding of the new regulation to support our customers the best way possible.
We offer customers robust privacy commitments through Standard Contractual Clauses. To extend our privacy commitments we have created Data Processing Addendums (DPA) to include specific provisions to assist customers in their compliance with the GDPR. We have also signed DPAs with our existing vendors and service providers who may deal with EU individuals’ personal data.
As a matter of best practice, we have incorporated Data Privacy by Design principles and Data Privacy Impact Assessments in our SDLC process to ensure appropriate care is taken as we are building new features in our existing products and services, as well as when we develop new solutions. Customer data privacy and security is our highest concern, and we are committed to fulfill the responsibilities entrusted to us.
We have implemented procedures to address Data Subject Rights requests related to access, erasure, portability, and rectification of personal data. Our formal procedures provide transparency into our process and allow us to respond to Data Subject Rights requests as required by the GDPR. To make a requests or inquiries related to treatment of personal data by NTT Application Security, please submit the request via email to [email protected].
We have enhanced our already robust incident reporting mechanism to incorporate GDPR requirements. We formalized a process to report privacy incidents to the Privacy Leader at NTT Application Security through [email protected], and we have established a procedure to report data breaches within 72 hours of breach discovery as required by GDPR articles.