General Data Protection Regulation (GDPR)

The future of data privacy is now, and it’s going global

The General Data Protection Regulation (GDPR), is an updated European privacy and data protection law, that will come into force on May 25, 2018. GDPR re-emphasizes and reinforces existing data protection principles in the European Union (EU). GDPR also adds new rules that are designed to expand legal and privacy rights protections for EU citizens.

As a leader in the application performance monitoring and business intelligence space, AppDynamics understands the value and importance of effectively leveraging data to solve modern business problems. AppDynamics also respects the need to protect data and to comply with data protection rules, especially when it comes to personal data and the rights of individual data subjects.

AppDynamics welcomes GDPR as an important update to the global view on privacy, data protection, and cybersecurity.

Key features of GDPR

Global reach

  • GDPR applies to companies located anywhere in the world that collect and/or process personal data of EU residents

High-impact fines

  • Fines for non-compliance can be the greater of 4% of global revenue or €20M

Enhanced data subject rights

  • Consent - Consent must be specific, informed, freely given and an unambiguous indication of the data subject’s consent to the processing. Data subjects can withdraw consent at any time and must be able to do this as easily as it was to give consent

  • Right to erasure - Data subjects have the right to require a data controller to delete personal data where the data controller does not have a legitimate ground to retain the data

  • Data portability - Data subjects may request a copy of their personal data in a common digital format and have their personal data transferred directly between data controllers

Privacy and data impact assessments

  • The impact and risk of collection and processing of personal data on the data subject’s right to privacy and any potential risks of harm must be assessed when such activity involves new technologies or methods of processing that may pose a high level of risk to the data subject.

Privacy by design and by default

  • Privacy issues must be considered and addressed at the design phase of products, websites, and other systems that process personal data, and specific privacy-minded functionality must be designed into offerings. Products must be provided to data subjects with the most privacy-favored functionality on by default.

Incident response and breach notification

  • GDPR requires data controllers to notify the relevant Data Protection Authority(s) within 72 hours of a breach affecting personal data, unless the breach is unlikely to result in a risk to the rights and freedoms of the natural persons; and any impacted data subjects without undue delay when a high risk to rights and freedoms is likely. Data processors must notify data controllers of a data security breach without undue delay.

Data processor’s liability

  • GDPR imposes requirements directly on data processors. Under GDPR Data processors can face direct enforcement action and may be fined by Data Protection Authorities.

Appointment of Data Protection Officer (DPO)

  • Companies should (and in some cases must) appoint a Data Protection Officer who is supported by a team that will be responsible for data protection compliance.

AppDynamics is committed to GDPR readiness

AppDynamics and Cisco are acutely aware of GDPR and its implications both for AppDynamics and for our customers. AppDynamics has established an internal, cross-functional team to manage this important project, with executive sponsorship from both AppDynamics’ Chief Information Security Officer and AppDynamics’ General Counsel. There are many new requirements to work through to achieve compliance readiness by May 25, 2018, and implementation work at AppDynamics remains ongoing.

Here are some highlights of the work that our teams are tracking in key areas as GDPR approaches:

Policies/Standards/Enforcement

  • AppDynamics continues to maintain a comprehensive security program and organization that is supported by leadership who are committed to proactively managing privacy and cybersecurity risk

  • Product Management, Security, Privacy, and Legal team leadership have launched a cross-functional GDPR team charged with reviewing and optimizing processes around the business to ensure AppDynamics is ready to comply as well as developing a privacy by design infused engineering road map

  • AppDynamics is partnering with its parent company, Cisco, to collaborate on business-focused GDPR-readiness solutions, which include leveraging the leadership of Cisco’s world-class Data Protection, Security and Trust Organization, and Legal teams while sharing what AppDynamics’ in-house subject matter experts are learning and implementing

  • AppDynamics demonstrates its focus on protecting customer information by maintaining SOC 2 certification

Data review and risk assessment

  • AppDynamics’ GDPR team is performing privacy impact assessments on all customer-facing products, as well as refreshing its understanding of data flows within our products and in our internal business

Ensuring appropriate data transfer mechanisms

  • The AppDynamics Legal team is working hard to update data transfer agreements where appropriate

  • AppDynamics’ Privacy and Legal teams are actively monitoring and exploring possible implementation of legally-recognized alternatives to model clauses and data transfer agreements

Accounting for and managing third-party risk

  • AppDynamics’ GDPR team is reviewing and updating AppDynamics’ existing vendor and third party risk programs to account for GDPR implications when hiring third parties

Privacy and security by design/default

  • The AppDynamics GDPR team are proactively engaging in AppDynamics’ software development processes to further enhance “Privacy by Design” and “Privacy by Default” activities and motions into key inflection points to improve the process and ensure GDPR-ready development posture

Incident response

  • AppDynamics regularly reviews, updates and tests its incident response policy, operational program, and relevant training materials with the new GDPR overlay in mind

Additional information on AppDynamics’ privacy practices and program

Subprocessors

AppDynamics engages third-party service providers to support the availability and data processing activities of our products and related services. For more information on our subprocessors and third party service providers, click here.


International data transfers

AppDynamics complies with applicable law when we make international transfers of our customers’ personal data. Where your use of AppDynamics products and services requires us to transfer personal data to a location outside the European Economic Area, we employ the following legally-recognized data transfer mechanisms: the EU-US Privacy Shield, the Swiss-US Privacy Shield, and Standard Contractual Clauses (also commonly referred to as EU Model Clauses).


AppDynamics Privacy Shield certification

AppDynamics is a wholly owned subsidiary of Cisco Systems, Inc. (“Cisco”). Cisco participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. We are committed to subjecting all personal data received from European Union (“EU”) member countries and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Frameworks, and to view our certification, visit the U.S. Department of Commerce’s Privacy Shield List at https://www.privacyshield.gov.


Security program and certification

AppDynamics is committed to providing strong levels of security assurance for our customers, our partners, and our community. Through the development of our cross-functional security program, our employees are working hard to ensure the security of our software products and services and our systems that we leverage to operate our company.

Product information

Performing a privacy or data impact review of AppDynamics’ products? AppDynamics provides product data sheets to enable our customers to learn more about what data may be collected and processed by AppDynamics products.