General Data Protection Regulation (GDPR) statement

Westcon International, Ltd. (Westcon) GDPR statement

1. What is GDPR?

General Data Protection Regulation (GDPR) is a framework for handling and protecting personal data of individuals within the European Union (EU). GDPR also addresses the export of personal data outside the EU. The primary goal of GDPR is to give EU citizens and residents control over their personal data and simplify the regulatory environment for international business. GDPR replaces the data protection directive (Directive 95/46/EC) of 1995 and is enforceable as of 25 May 2018.

2. What is personal data?

Personal data is information which can be used to identify a person. Personal data includes your name, address, telephone number, and email address. Personal data is also information that can be combined with other information to identify a person, e.g. one’s IP address.

3. Westcon's Commitment to GDPR

Westcon, its subsidiaries and affiliates, take protection of personal data very seriously. Westcon is committed to protecting the confidentiality, integrity and availability of its customer’s information. Westcon understands its obligations of the GDPR and is well prepared to meet them.

4. How Westcon addresses GDPR

Westcon addresses GDPR obligations by protecting and managing personal information in a secure and consistent manner. To accomplish this, Westcon employs a comprehensive information security program that involves: people, process and technology.

  1. People

    Security by design is not an option, it’s a must in GDPR. This includes making everyone aware of GDPR, its implications and individual responsibilities in safeguarding personal data. As individual involvement and responsibilities vary amongst our personnel, training and awareness is tailored based on role. Basic GDPR training and awareness is mandatory for all Users, while more in-depth training and awareness is given to those who deal directly with personal data. Training is conducted on an on-going basis. Along with appointing a Data Privacy Officer (DPO) residing in Germany, Westcon also has a Data Privacy Lead residing in the United Kingdom. Additionally, Westcon evaluates its service providers for GDPR readiness. A dedicated team of information security professionals address the day-to-day information security activities. In the event of a data privacy breach, our Computer Security Incident Response Team (CSIRT) is capable and ready to be engaged.

    Provider contracts have been reviewed and clauses have been updated and agreed upon to include specific terms designed to ensure that processing carried out by a processor meets all the requirements of the GDPR.
     
  2. Process

    Comprehensive governance has been put in place to address GDPR’s heightened emphasis on accountability and transparency. These measures help minimize the risk of breaches and uphold the protection of personal data. Privacy Impact Assessments (PIAs) are an integral part of Westcon’s security by design approach. Legacy applications are placed through the PIA process to identify and address any privacy risk. New applications are placed though the PIA process, while in their design stages, to enable security by design cost effectively.

    Westcon’s Global Privacy Policy (https://www.westconcomstor.com/global/en/privacy-policy/global_privacy_policy.html) explains our practices related to personal data privacy and security including:
    • Types of personal information we collect;
    • How we use the information;
    • With whom we share it;
    • Rights you may have about the use of your personal information;
    • Security measures we implement to protect the security of your information; and
    • How you can contact us about our privacy practices.

     
  3. Technology

    Connectivity to our applications occur over a secure TLS (HTTPS) connection. Application servers access the databases through restricted Access Control Lists (ACLs). Access is granted on least-privileged and a need-to-know basis. Access is reviewed on a regular cycle.

    Our data centers are SOC 2 Type I and Type II compliant and they comply with ISO/IEC 27001. Our data center facilities are strictly controlled with various levels of defense including (but not limited to): alarms, CCTV, locked cages, biometric scanners, and guard stations that are manned 24/7. Redundant firewalls with load balancers disperse the traffic across multiple servers. Information is replicated real-time between data centers over an encrypted channel and backups are performed regularly for business continuity purposes. All replicated/backup data is stored in an encrypted format. Data is retained as per Westcon’s documented retention management schedule.

    Westcon has an Information Security Management System (ISMS) used to facilitate the storage, organization and retrieval of information. Westcon’s Information Security Polices are based on controls defined in ISO/IEC 27002. In addition to fields such as Data Classification and Business Criticality, Westcon’s inventory database captures specific fields for data privacy management purposes.

    Numerous proactive measures are taken to protect systems and data. Along with the aforementioned firewalls and backups, technologies such as anti-virus, anti-malware, encryption (at disk and file level), and automated patching are deployed. Our systems are scanned for vulnerabilities on a monthly basis and compliance audits are performed regularly.