Security and Compliance

General Data Protection Regulation (GDPR)

The European Union (EU) General Data Protection Regulation (GDPR) is a new regulation ([EU] 2016/679) intended to strengthen and unify data privacy rights for European Union data subjects. It replaces the EU Data Protection Directive (95/46/EC) with one EU regulation effective May 25, 2018. The GDPR includes much of what was in the former Directive but with some new requirements and has broader application than existing EU privacy laws.

Under the provisions of the GDPR, Virtustream, a Dell Technologies Business, may be a data processor that processes personal data on behalf of the data controller that offers goods and services to data subjects (i.e. individuals) who are located in the EU. Virtustream cloud services and software will be ready to comply with the GDPR when it becomes effective on May 25, 2018.

Virtustream Helps Customers Better Manage Security and Privacy Risk

Virtustream closely partners with Dell’s Global Privacy Office to protect the privacy of our customers located around the world. Dell’s global privacy program is focused on ensuring the proper use and disclosure of our customer’s personal data, as well as, fostering a culture that values privacy through awareness.

High Risk Obligations

Outlined below is a summary of some of the high risk GDPR obligations that Virtustream can assist an organization with in their quest to manage risk more effectively and efficiently.

Data Security and Incident Management

Data security and incident management requires an organization to have appropriate technical and organizational security controls and procedures in place to secure data subjects’ personal data that they are processing as well as notify the affected data subjects and/or an EU supervisory authority in the event of a data breach that is likely to result in a high risk to the rights and freedoms of data subjects.

Virtustream cloud services and software that help organizations address GDPR compliance obligations in this area include:

  • Virtustream Enterprise Cloud / Virtustream Healthcare Cloud, powered by Virtustream xStream Cloud Management Platform, supports security and compliance with tools that assist with continuous auditing and reporting of data stored in Virtustream cloud IaaS, and includes security information and event management (SIEM) and GRC tools that collect and analyze data. Examples of Virtustream Enterprise Cloud compliance offerings, attestations, and certifications include: SSAE18/ISAE3402/SOC2, PCI-DSS 3.1, IS0 27001:2013, ISO 9001:2015, ISO 22301:2012, HIPAA/HITECH/HITRUST.
  • Virtustream Storage Cloud hyper-scale storage platform provides enterprise-class cloud storage with built-in resiliency for secure seamless cloud-tiering from on-premises storage and backup to cloud, and for scalable object storage for cloud-native applications. Examples of Virtustream Storage Cloud compliance offerings, attestations, and certifications include: SSAE18/SOC1/SOC2/SOC3, CSA-CCM, CJIS, NIST 800-171, PCI-DSS 3.2, ISO 27001:2013, and HIPAA/HITECH.
  • Virtustream Viewtrust provides out-of-the-box enterprise risk management (ERM) and continuous monitoring capabilities that enable customers to see a near real-time view of cybersecurity risk across the entire enterprise. In support of the GDPR provisions, it unifies data from numerous complex sources, regardless of location, and integrates that data into a drill-down representation of the customer's organization, business relationships, and systems. The identified risks are quantified, weighted according to impact, and presented from summary data at the executive level down to raw data at the operational level. Viewtrust enables proactive decision-making and remediation of risks, in a manner that is consistent, efficient, and actionable.
Accountability Principle

Accountability principle essentially means an organization must demonstrate that they comply with the GDPR data protection principles. Virtustream cloud services and software that help organizations address GDPR compliance obligations in this area include:

  • Virtustream Enterprise Cloud / Virtustream Healthcare Cloud / Virtustream Storage Cloud have been assessed by a retained independent audit firm to verify that security policies and practices will be consistent with GDPR requirements when it becomes effective. As a general practice, Virtustream provides independent third party security certifications and attestation reports under non-disclosure (NDA) to enable customers to quickly verity the effective operation of specific security controls.
  • Virtustream Viewtrust enables customers to manage and document their compliance efforts related to the provisions of the GDPR.
CISPE (Cloud Infrastructure Providers in Europe)

CISPE is a coalition of cloud infrastructure providers doing business in the EU. The CISPE Code of Conduct assures customers that CISPE-certified cloud providers such as Virtustream are using appropriate data protection standards to protect their data consistent with the strict requirements laid out in the GDPR to avoid penalties.  In addition, the CISPE Code of Conduct calls for data storage and processing exclusively within the EU and excludes cloud providers from the re-use of customer data for their own purposes.

Data Center Locations

Virtustream offers choices for geographical location in the European Economic Area.

  • Virtustream Enterprise Cloud: includes the UK, Germany, France, and the Netherlands
  • Virtustream Storage Cloud: includes the UK, Germany, and the Netherlands

See a complete list of global infrastructure locations.

Download the Virtustream GDPR Data Sheet

Read the Virtustream GDPR White Paper