In less than a year from now, on May 25, 2018, the EU General Data Protection Regulation (GDPR) will be enforced, significantly increasing potential fines and costs for data processing in EU member countries and anywhere EU personal data is processed.
GDPR replaces the existing patchwork of EU National Data Protection legislation and brings a degree of long-anticipated consistency to the data protection landscape in Europe. Essentially, GDPR legislatively embodies the well-recognized privacy principles of transparency, fairness, and accountability. GDPR also attempts to introduce a risk-based approach that enables innovation and participation in the global digital economy while respecting individual rights – which can be a very good thing.
In our view, the digital economy can only flourish when you connect people, process, data and things in an ethical, meaningful and secure way. That includes creating an environment in which everyone can easily do business and know their data is safeguarded. We are committed to helping our customers and partners by protecting and respecting personal data, no matter where it is from or where it flows.
What is Cisco doing to be GDPR-ready?
We are getting ready for GDPR in the following ways.
Our industry-leading data protection program includes:
Policies and Standards – Developing standards and processes to define the Personal Data lifecycle and help ensure data transparency, accuracy, accessibility, completeness, security, and consistency.
Identification, Classification and Mapping – Inventorying and mapping our data and identifying what we have, what we are doing with it, where it is, where it flows, and who has access to it. We classify data based on risk and sensitivity in context. That risk is data-led/ person-led, while we do care about avoiding fines, we believe focusing on the outcome and purpose of processing leads to a better and more holistic risk profile.
Data Risk and Organizational Maturity – Focusing on understanding risks and conducting threat modeling for unique data sets we process. Assessing the risks, strengths, and opportunities to understand maturity against industry benchmarks and, where those do not yet exist, we design the bench.
Incident Response – Implementing an enterprise-wide, data incident response process that is integrated with our business continuity processes.
Oversight and Enforcement – Deploying a centralized data protection governance model that oversees, monitors, and enforces adherence to policies and standards, including third-party controls, vendor oversight, monitoring, audit, and remediation.
Privacy and Security by Design or Default – Integrating data protection, privacy, and security requirements into product design and development methodologies via Cisco Secure Development Lifecycle. Embedding privacy requirements in the development cycle from ideation to launch, to validation. In short, we use privacy engineering techniques to evaluate and build better offerings to turn privacy by design policies into actions and tangible improvements.
- International Transfer
We are certified under the EU-US and Swiss-US Privacy Shield frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, processing, and cross-border transfer of personal data from the EU and Switzerland to the United States. Cisco is also in the process of achieving approvals for our Binding Corporate Rules across the EU.
In addition, we have a publicly available Cloud Services EU Data Processing Addendum for cloud offerings that includes Standard Contractual Clauses to allow the transfer of personal data from the EU to the rest of the world.
- Third-party Audit and Certifications
Reinforcing our commitment to protect Cisco and our customers, we have obtained several third-party certifications for our products and services. For example, Cisco WebEx is ISO 27001 and SSAE-16, SOC2 certified, and we have successfully completed the ISO 27001 certification across our entire services business worldwide. With these certifications, our customers can be confident that we are protecting their data.
What you can do to get ready for GDPR
To fully protect personal data, you need to know what data you are collecting, how you are collecting it, what you are doing with it, who is processing it and where, and how you are protecting it – whether at rest, in use, or in motion.
Here are some recommendations to help you get ready.
Map – Conduct a company-wide inventory and mapping of personal data. Pay special attention to the “who”: Who manages? Who builds? Who accesses? Who corrects? Who deletes or returns? The “what” will determine your strategy. The “who” will make it a part of your culture and make data protection a part of your accountability profile.
Assess and Manage – Evaluate risks, strengths, and opportunities and establish governance for data usage and access.
Secure – Protect personal data with security measures capable of preventing, detecting, and responding to vulnerabilities and data breaches. Secure the negligent and mistaken as well as the “bad guys”.
Raise awareness – Create a security and privacy-aware culture by involving everyone in your organization in protecting their own and your customers’ personal data, including reporting data breaches. Data protection obligations are as pervasive and constant as currencies that flow through and across the networks. Awareness and fresh updates are essential.
Join the Journey to GDPR
As part of our ongoing efforts to support the security, trust, privacy, and resilience of our customers, we are committed to securing their data. In the coming year we will continue to share our journey to assist you in your own efforts to be ready for GDPR. We’ve got this. Let’s GO!
For more information on how Cisco is preparing for GDPR, visit our Trust Center.
Excellent recommendations on what we can do to further socialize the message to our teams regarding awareness of the needed security culture.
Great overview!
Michelle, great post (and long time not talk)! Thanks in part to Cisco’s latest equity investment in HyTrust, we’ve acquired a data discovery+classification company (Data Gravity) to enhance our existing data encryption (with geo-fencing) solution for GDPR compliance simplification. Cisco itself, and Cisco customers, could potentially benefit from a combined Cisco+HyTrust solution. Shall we discuss further?