General Data Protection Regulation (GDPR)
The future of data privacy is now, and it’s going global
The General Data Protection Regulation (GDPR), is an updated European privacy and data protection law, that came into force on May 25, 2018. GDPR re-emphasizes and reinforces existing data protection principles in the European Union (EU). GDPR also adds new rules that are designed to expand legal and privacy rights protections for EU citizens.
As a leader in the application performance monitoring and business intelligence space, AppDynamics understands the value and importance of effectively leveraging data to solve modern business problems. AppDynamics also respects the need to protect data and to comply with data protection rules, especially when it comes to personal data and the rights of individual data subjects.
AppDynamics has welcomed GDPR as an important update to the global view on privacy, data protection, and cybersecurity.
In addition, AppDynamics partners with its parent company, Cisco Systems, Inc. (“Cisco”) to ensure AppDynamics’ privacy program is aligned with Cisco’s Data Protection and Privacy program.
GDPR applies to companies located anywhere in the world that collect and/or process personal data of EU residents.
Fines for non-compliance can be greater than 4% of global revenue or €20M.
Privacy and data impact assessments
The impact and risk of collection and processing of personal data on the data subject’s right to privacy and any potential risks of harm must be assessed when such activity involves new technologies or methods of processing that may pose a high level of risk to the data subject.
Enhanced data subject rights
Consent - Consent must be specific, informed, freely given, and an unambiguous indication of the data subject’s consent to the processing. Data subjects can withdraw consent at any time and must be able to do this as easily as it was to give consent.
Right to erasure - Data subjects have the right to require a data controller to delete personal data where the data controller does not have a legitimate ground to retain the data.
Data portability - Data subjects may request a copy of their personal data in a common digital format and have their personal data transferred directly between data controllers.
Privacy by design and by default
Privacy issues must be considered and addressed at the design phase of products, websites, and other systems that process personal data, and specific privacy-minded functionality must be designed into offerings. Products must be provided to data subjects with the most privacy-favored functionality turned on by default.
Incident response and breach notification
GDPR requires data controllers to notify the relevant Data Protection Authority/ies within 72 hours of a breach affecting personal data, unless the breach is unlikely to result in a risk to the rights and freedoms of the natural persons; and any impacted data subjects without undue delay when a high risk to rights and freedoms is likely. Data processors must notify data controllers of a data security breach without undue delay.
Data processor’s liability
GDPR imposes requirements directly on data processors. Under GDPR, data processors can face direct enforcement action and may be fined by Data Protection Authorities.
Appointment of Data Protection Officer (DPO)
Companies should (and in some cases must) appoint a Data Protection Officer who is supported by a team that will be responsible for data protection compliance.
AppDynamics and Cisco are acutely aware of GDPR and its implications both for AppDynamics and for its customers. During the lead up to May 25, 2018, AppDynamics established an internal, cross-functional team to manage this important project, with executive sponsorship from both AppDynamics’ Chief Information Security Officer and AppDynamics’ General Counsel.
Here are some highlights of the key GDPR readiness work that AppDynamics’ cross-functional Privacy team tracked and continue to closely monitor for ongoing compliance:
AppDynamics continues to maintain a comprehensive security program and organization that is supported by leaders who are committed to proactively managing privacy and cybersecurity risk.
AppDynamics teams partner with their Cisco counterparts on information security and privacy initiatives. AppDynamics leverages Cisco’s industry leadership and Cisco provides an additional governance layer for AppDynamics.
Product Management, Security, and Legal team leadership have launched a cross-functional privacy team charged with reviewing and optimizing processes around the business to ensure AppDynamics is always ready to comply as well as developing privacy by design infused engineering road map to support product development.
AppDynamics demonstrates its focus on protecting customer information by maintaining SOC 2 certification.
Data review and risk assessment
AppDynamics’ Privacy team continues to perform privacy impact assessments on all customer-facing products, as well as refreshing its understanding of data flows within its products and in its internal business.
AppDynamics’ Privacy team created and maintains Product Information Data Sheets that detail the data collected and processed by each AppDynamics product.
Privacy and security by design/default
The AppDynamics Privacy team proactively engages in AppDynamics’ software development processes to further enhance “Privacy by Design” and “Privacy by Default” activities and motions into key inflection points to improve the process and ensure an always-GDPR-ready development posture.
Ensuring appropriate data transfer mechanisms
The AppDynamics Legal team launched a set of updated data transfer agreements to support new and existing customers and is working hard to update data transfer agreements where appropriate.
AppDynamics’ Privacy and Legal teams continue to monitor the possible implementation of legally-recognized alternatives to EU Model Clauses and data transfer agreements.
AppDynamics regularly reviews, updates and tests its incident response policy, operational program, and relevant training materials with the new GDPR overlay in mind.
Accounting for and managing third-party risk
AppDynamics’ Privacy team reviewed and updated AppDynamics’ existing vendor and third-party risk programs to account for GDPR implications when hiring third parties.
AppDynamics engages third-party service providers to support the availability and data processing activities of its products and related services.
Security program and certification
AppDynamics is committed to providing strong levels of security assurance for its customers, partners, and community. Through the development of its cross-functional security program, AppDynamics employees are working hard to ensure the security of its software products and services and systems that AppDynamics leverage to operate its company.
International data transfers
AppDynamics complies with applicable law when international transfers of its customers’ personal data are made. Where a customer’s use of AppDynamics products and services requires the transfer of personal data to a location outside the European Economic Area, AppDynamics employs Standard Contractual Clauses (also commonly referred to as EU Model Clauses) as a legally recognized data transfer mechanism.
Performing a privacy or data impact review of AppDynamics’ products? AppDynamics provides product datasheets to enable customers to learn more about what data may be collected and processed by AppDynamics products.