The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), adopted on April 27, 2016, is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the transfer of personal data outside of the EU. The primary objectives of the GDPR are to enhance EU residents’ control of their personal data and to simplify the regulatory environment for international business by imposing uniform data protection requirements on all EU members.
When the GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC) from 1995. The GDPR will become effective May 25, 2018. The GDPR will be a significant change in the data privacy landscape in the EU and more clearly allocates responsibility between the data controller (Zscaler’s customers and partners) and the data processor (Zscaler) with respect to the processing of personal data. Under the GDPR, both the data controller and data processor have additional duties and obligations to protect personal data, and both face liability for any failures to comply with the GDPR requirements.
Zscaler is committed to our customers’ success, including compliance with the GDPR. Just like existing privacy laws, including the current data protection directive, compliance with the GDPR will require a partnership between Zscaler and our customers in their use of our services and products. Zscaler has closely analyzed the requirements of the GDPR, and is continuing to make enhancements to our services, products, documentation, and contracts to support our own compliance with the GDPR. In addition, Zscaler is dedicated to assisting our customers with their own compliance efforts with the GDPR.
Assisting our Customers in Complying with the GDPR
- Controller vs. Processor Responsibility Chart: Zscaler has compiled a comprehensive, side-by-side chart of the customer’s obligations as the data controller vs. Zscaler’s obligations as the data processor. This chart is a helpful tool for our customers to better understand what exactly they need to do to comply with the GDPR and what they can expect from Zscaler.
- Updated Data Processing Agreement (DPA): Zscaler has also updated its DPA to align with GDPR requirements. This updated DPA contains revised or additional contractual provisions in order to assist our customers in their compliance with the GDPR. You may download the pre-signed DPA here and follow the instructions on page 1 for executing.
Zscaler Compliance with the GDPR
As a security-as-a-service provider, data privacy and security is at the core of Zscaler’s business and something Zscaler takes very seriously. Zscaler remains committed to protecting personal data in compliance with the highest standards of privacy and security. Below is a high level summary of Zscaler’s compliance with many of the key areas of the GDPR.
- As the data processor, Zscaler will only process personal data on behalf of the data controller and on written authorization from the data controller (i.e. through a contract or order).
- Zscaler expects that its customers and partners, as the data controllers, will notify their employees and users (i.e. the data subjects) of the processing carried out by Zscaler and will obtain their consent for Zscaler to do so.
- Zscaler ensures the confidentiality and availability of the personal data that it processes and that appropriate technical and organizational measures are taken to protect such personal data.
- Zscaler stores a limited amount of personal data (e.g. IP Addresses, URLs, user IDs, user groups and departments from corporate directory) and does not process or store any special categories of personal data (i.e. “sensitive” data) . In addition:
- For the majority of Zscaler’s services and products, HTTP, HTTPS and non-HTTP transaction content is never stored by Zscaler or written to disk - all inspection takes place in memory.
- For customers who order Zscaler’s cloud sandbox product, Zscaler records malicious content to a storage disk; however, customers can decide what files to send to Zscaler’s sandbox (based on file type, URL category, user/group, etc.)
- Customers have the option to obfuscate their user IDs from ever being seen by Zscaler Operations and Support teams or their own administrators.
- Customer Transaction Logs (Logs) are indexed, compressed, and tokenized at the point of generation – ensuring a single Log is meaningless without a complete string of historic Logs and access to the indexes stored in Zscaler’s Central Authority (CA). Hence, even with access to stored data, personal data cannot be derived without Zscaler’s user interface bringing together information from the Logs and information from the CA.
- The Logs are never stored in clear text.
- Zscaler has the ability to store all personal data for its EU customers in the EU and Switzerland. Further, for an additional fee, customers can store their Logs in Zscaler managed servers on customer’s own premises.
- Zscaler only allows access to personal data by personnel who are authorized administrators with appropriate privileges.
- Zscaler does not process or store any personal data that is not needed to perform the contracted services on behalf of the data controller.
- The personal data that Zscaler processes on behalf of the data controller will be accurate, complete, and kept up-to-date as much as technically possible.
- Personal data will not be disclosed, made available, or otherwise used for purposes other than to perform the contracted services on behalf of the data controller, except as required by law.
- All transfers of personal data outside of the European Economic Area (EEA) will only be done for the purposes of providing the contracted services to the data controller and will be subject to EU-US and Swiss-US Privacy Shield principles.
- Zscaler retains Logs in its cloud infrastructure for rolling periods of at least six months, after which the Logs are securely purged. In addition, customers can order Zscaler’s Nanolog Streaming Service (NSS) in order to retain such Logs for however long they choose.
- Zscaler will obtain the consent of the data controller before engaging any sub-processors, which may include contractual consent or general consent. Zscaler will responsible and liable for the performance of such sub-processors.
- At contract termination or expiration, the Logs will be purged pursuant to the six month retention cycle, or as earlier requested in writing by the data controller.
- Zscaler will make available to the data controller all information reasonably necessary for the data controller to demonstrate its compliance with the GDPR.
- Zscaler will be accountable and responsible to ensure its own compliance under the GDPR.
- Zscaler protects personal data through reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure.
- Since Zscaler operates a multi-tenant cloud, it has certified to the ISO 27001 information security framework in order to maintain consistent and robust security controls and procedures for all customers on its cloud.
- Zscaler performs robust security measures on its cloud such as antivirus, firewalls, scheduled vulnerability scanning, penetration testing and security code peer reviews.
- Zscaler’s cloud infrastructure is hardened against DDoS attacks and monitored 24x7x365.
- All Zscaler personnel who are authorized to process personal data have committed themselves (through employment and confidentiality agreements) to the confidentiality and security of personal data.
- Zscaler encrypts all traffic communications on its cloud, in addition to anonymizing, pseudonymizing, or obfuscating data where technically possible.
- In addition to adhering to ISO 27001 principles, the top tier global data centers that Zscaler uses take security just as seriously as Zscaler – through, among other protections, sophisticated entry control systems, dual power feeds with backup generators, and video surveillance.
- Through Zscaler’s global network of data centers and fail-over capabilities, Zscaler is able to ensure ongoing confidentiality, integrity, availability and resilience of its processing systems and services, in addition to restoring real-time availability and access to personal data in a timely manner in the event of a physical or technical incident.
- Zscaler has an internal process for regularly testing, assessing, and evaluating the effectiveness of the technical and organizational measures for ensuring the security of the processing of personal data.
- With prior written notice, and subject to certain Zscaler requirements and controls being put in place, Zscaler will permit its customers and partners to perform annual audits and automated inspections of its cloud.
- Zscaler will notify the data controller without undue delay after becoming aware of a personal data breach and will assist the data controller in reporting to supervisory authorities and affected data subjects any personal data breaches.
Suggested Steps for GDPR Readiness
There are many different steps that organizations should take in anticipation of the GDPR effective date (May 25, 2018), which may include:
- Assembling a team responsible for GDPR compliance efforts
- Performing a GDPR readiness assessment (internal and/or through a third party)
- Creating a record of all personal data processing activities
- Obtaining, documenting, and maintaining a legal basis for all data processing activities
- Implementing appropriate policies and procedures to respond to data subjects' rights requests
- Reviewing and updating processor and sub-processor agreements
- Evaluating the requirements for a Data Protection Officer (DPO) and appointing one if required
- Updating your privacy and security policies and procedures
- Updating procedures and protocols regarding data breach notification
Helpful Links Regarding the GDPR
NOTE: While this site is designed to help organizations understand the GDPR in connection with Zscaler's services and products, the information contained herein may not be construed as legal advice and organizations should consult with their own legal counsel with respect to interpreting their unique obligations under the GDPR.