Our chief privacy officer and resident legal and gdpr experts weigh in on the EU General Data Protection Regulation (GDPR) enforcement that is just around the corner.
The European Union General Data Protection Regulation (GDPR) brings long-anticipated consistency to the data protection landscape in Europe. GDPR embodies the well-recognized privacy principles of transparency, fairness, and accountability. By introducing a risk-based approach, GDPR will enable innovation and participation in the global digital economy while respecting individual rights.
Cisco is committed to helping our customers and partners by protecting and respecting personal data, no matter where it comes from or where it flows. Cisco complies with mandatory privacy laws worldwide, and is working to be ready for the GDPR, which will be enforced as of May 2018.
We have established long-standing security, data protection, and privacy programs. GDPR requirements have been incorporated into these existing programs, which already included many of the same requirements derived from our commitments to comply with regulations, customer’s needs, and our own corporate code of conduct.
Cisco Data Protection Program
Our data protection program covers data throughout its lifecycle. It begins with security and privacy by design, managing collection, use, processing, and storage; addressing operational needs such as reporting and oversight; and secure disposition or destruction at end of life.
Preparing for GDPR
For us, preparing for GDPR and addressing personal data handling requirements across different jurisdictions around the world has been primarily an exercise of program maturation and confirming alignment with industry best practices, customer demands, and regulatory requirements.
To secure a safe and legal transfer of personal data across multiple jurisdictions,we were an early adopter and among the first to achieve Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Rules system certification.
Transfer from EU to rest of the World
Cisco is certified under both the EU and Swiss - US Privacy Shield. We have achieved accreditation under the EU Binding Corporate Rules with policies fully aligned to GDPR.
As part of our privacy efforts, we are deepening our commitment to privacy engineering by embedding privacy by design/default principles in the development lifecycle of our offerings starting from the ideation phase, including strengthening security controls.
Any information relating to an identified or identifiable natural person (i.e., the data subject).
Any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
The entity responsible for making decisions regarding the processing of personal data and has the direct relationship with the individual data subjects (e.g., when handling employee data, Cisco acts as the Data Controller).
The natural or legal person processing personal data on behalf of the data controller. The GDPR has significantly changed the level of responsibility and accountability of the data processor. Under GDPR, data processors have direct liability and are directly subject to regulatory enforcement and civil actions. The GDPR also imposes statutory obligations with regard to documenting processing, reporting data breaches to the data controller, deleting personal data, etc. Notably, when providing products and services to our customers, Cisco acts primarily as a data processor with respect to customer content.
Wider Territorial Reach
GDPR is applicable to Data Controllers and Data Processors (A) established in the EU or (B) located anywhere in the world when processing personal data in connection with the offering of goods/services or monitoring behavior of data subjects in the EU. The trigger is presence “in the EU” – data subject citizenship or residency is irrelevant.
Maximum fine between 2 percent and 4 percent of annual global revenue for egregious mishandling of personal data.
companies are accountable under the data protection authority (DPA) of the country of their main establishment in the EU (in cooperation with other relevant DPAs). For Cisco, our EU headquarters is in Amsterdam – our “main establishment” is the Netherlands. As such, the Dutch DPA is our lead authority.
Depending on the product or service and data involved, data subjects have a right to request the data that they supplied to data controllers to be given to them in commonly used electronic format so they can easily change service providers.
Adoption of a more active, informed consent based model set forth as one possible way to support lawful processing of personal data. Consent must be fully informed, freely given, revocable at any time, and provision of goods or services cannot be contingent on consent. Thus, true consent has become increasingly difficult to obtain, leaving businesses to rely on other legal basis for processing such as legitimate interest.
Right to Erasure
Allows individuals the right to request the deletion of their data relating to them if there are no legitimate grounds for retaining it.
Data Protection Impact Assessments
When dealing with high risk data sets, companies are now required to conduct (and document) a data protection impact assessment (DPIA). The DPIA evaluates the potential risk and impact the personal data processing activities may have on the data subject’s fundamental rights and freedoms and appropriately manage that risk. In some cases, consultation with the relevant DPA is also recommended and may even be required.
Privacy by Design/Default
Privacy issues must be considered and addressed at the design phase of product and system development (not post launch). Privacy protective functionality to appropriately limit data collection, processing, retention, and access must be designed into data driven technology. And, to the extent privacy options are available, the default setting should be the more privacy protective option.
Risk-based breach notification requirements are outlined in the GDPR. Data Controllers must notify: (a) relevant Data Protection Authorities (DPAs) within 72 hours unless the breach is unlikely to result in a risk to the rights and freedoms of the natural persons; and (b) impacted data subjects without undue delay when a high risk to rights and freedoms is likely.
If a Data Processor is involved and uncovers a breach, it must notify affected Data Controllers without undue delay.
Data Processor’s Liability
Processors are directly accountable for compliance with data protection laws. Data Controllers are also liable for any misconduct of the data processors they selected, unless they can prove they were not in any way at fault.
Data Protection Officer (DPO)
Companies should appoint a Data Protection Officer and a team that is responsible and accountable for data protection. In some cases, depending on the sensitivity and scale of personal data being processed, appointing a DPO is mandatory.
Everything starts with setting clear strategy and rules on how to process Personal Data. We have updated our existing privacy and data protection policies and internal standards and governance with particular regard to personal data lifecycle, individual rights, data breaches, data access, and security. This helps ensure data transparency, accuracy, accessibility, completeness, security, and consistency. The main principles of our policy are reflected in our privacy statement.
Identification, Classification, and Mapping
Knowing what data we hold is key in managing data appropriately and consistently. Based on a cross-functional, company-wide effort, we inventory and map the data that each organization within Cisco processes. We also inventory our cloud-based products and services. This allows us to identify and understand the what is going on with the data, including what we have, how are we protecting it, what we are doing with it, where it is, where it flows, who has access to it, and why. It also allows us to classify data based on risk and sensitivity in context. We believe focusing on the outcome and purpose of processing leads to a better, more holistic risk profile.
To assist in clarity and consistency for this process, Cisco maintains style guides for data identification and classification. Identification, classification, and mapping is an ongoing, iterative process that is a foundation for cybersecurity and privacy efforts across Cisco.
Data Risk and Organizational Maturity
Data risk management requires understanding the threats, threat actors, vulnerabilities, and risks associated with processing (e.g., collecting, exchanging, storing, deleting, and so on) the specific types of data we handle. We measure the effectiveness of policies, processes, and controls we implement to protect information.
Our risk management maturity evaluates the current strengths and opportunities in the data protection practices of Cisco as an enterprise and of our individual business units. We identify and manage risks to an acceptable level.
Cisco uses data mapping as a tool to determine where data is, who uses it, and how and where it is processed. The ability to answer these questions is a fundamental requirement of any Privacy Impact Assessment (PIA). Cisco applies this discipline to our own internal business processes and we apply it during the design phase of Cisco offerings that process customer personal data (for examples, see the privacy notices for Cisco WebEx, Jabber and others, in Supplemental Privacy Information).
In addition to data maps, Cisco performs a specialized form of risk assessment, customized for use in a privacy context. This privacy risk assessment is technical in the sense that it seeks vulnerabilities that might lead to exposure of personal data. The data risk assessment marries data classes or types with different stages of data usage. Data classification or typing and data usage (that is, data at rest, data in motion, and data in use) are determined during data mapping. Combining data types and stages lets us determine the corresponding vulnerabilities associated with each stage. There are four high-level categories of assessed vulnerabilities that we use in our analysis:
Each category utilizes different strategies for response, mitigation, control, and/or monitoring.
Once mapping and risk assessment complete, you can assign a technical data risk maturity level for a business unit. The current maturity level also factors in the following:
Compliance with the business requirements defined in the Oversight and Enforcement section is the minimum acceptable maturity level.
We have implemented a thorough, enterprise-wide data incident response process that is integrated with our business continuity processes. Our cross-functional incident response team consists of personnel from multiple departments. Members provide guidance and take responsibility for remedial actions based on their business function and role. A subgroup of the incident response team focuses on handling data breaches, which require a different management processes due to possible legal/regulatory implications.
Oversight and Enforcement
Cisco deploys a centralized data protection governance model that oversees, monitors, and enforces adherence to policies and standards, including third-party controls, vendor oversight, monitoring, audit, and remediation. We developed our oversight and enforcement model based on the business requirements of customers, partners, and regulatory bodies, as well as our business strategy, competitive differentiation, and risk management goals.
Enforcement includes regular reporting of relevant metrics and risk reviews, and internal and external audits. We enforce data protection policies across all our business units and Cisco supply-chain vendors. We hold supply-chain vendors to strict cybersecurity, data protection, and privacy standards consistent with the standards set for all Cisco business units.
Privacy and Security Engineering
Cisco integrates data protection, privacy, and security requirements into product design and development methodologies from ideation through launch with the Cisco Secure Development Lifecycle (CSDL). CSDL has been part of product development at Cisco for more than 10 years. We have integrated privacy by design/default principles into Cisco engineering by updating CSDL to include those principles. In short, we use privacy engineering techniques to evaluate and build better offerings to turn privacy by design/default principles into actions and tangible product improvements. Privacy engineering starts with the concept of a project with scoping against data privacy principles to maximize offering value while managing its risk given the technical and business requirements for the offering. As we design, we assess whether an offering processes personal data or other confidential data and make sure we embed privacy controls in the technology and processes of products and applications. We verify we have controls and update the inventory before releasing an offering. During operations that use the offering, Cisco or the customer manages the data subject requests and any data incidents. Any material changes in data or data usage goes through the same CSDL cycle as the product matures.
Data Protection and Privacy Awareness for Employees
Cisco conducts a variety of multi-media (online, print, video, 3-D, etc.) campaigns throughout the year to raise awareness and train employees about data protection and privacy. We also maintain an active intranet for collaboration and communications at all levels within the company. These include business conduct, data protection, security, privacy, and specialized training on GDPR and other laws. Beyond basic awareness training, Cisco encourages employees to pursue further training in all these areas, with options ranging from websites, multimedia, self-paced courses, and relevant external certifications (e.g., Certified Information Privacy Professional (CIPP)/Europe for GDPR training). We believe that employee awareness and skills in these disciplines are vital to Cisco’s long-term success.
Binding Corporate Rules (BCR)
Cisco's BCR-C has been approved. Cisco’s data protection and privacy policies, standards, and related documentation (“BCR-C”) have been approved by the European data protection supervisory authorities. This approval demonstrates that Cisco’s Data Protection & Privacy program is aligned with EU requirements, including GDPR. Cisco’s BCR-C sets forth the mandatory, minimum standards for handling EU personal data by Cisco, as a data controller. BCR-C approval serves as a legally valid transfer mechanism and commits Cisco to processing EU personal data in accordance with EU data protection standards anywhere in the world that Cisco operates.
EU-US and Swiss-US Privacy Shield
Cisco is certified under both frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, processing, and cross-border transfer of personal data from the EU and Switzerland to the United States, respectively. Cisco is committed to managing all personal data received from European Union (EU) member countries and Switzerland, in compliance with the requirements of the EU-US and Swiss-US Privacy Shield Frameworks. Under these Privacy Shield Frameworks, Cisco is responsible for the processing of personal data it receives and subsequently transfers to a third party. Cisco complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions. To learn more about these Privacy Shield Frameworks, visit the U.S. Department of Commerce's Privacy Shield site.
Although external verification is not required under the Privacy Shield, Cisco has taken the extra step to have an independent third party review and confirm our compliance with the Framework’s requirements.
APEC Cross-Border Privacy Rules
The U.S. APEC Accountability Agent certified that the Cisco global privacy program complies with the Asia Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules System (CBPRs). The CBPRs provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies. For more information about the APEC Privacy Framework and CBPRs, see [www.cbprs.org]. Our certification applies to our business processes across our global operations that process and transfer personal information to and from our affiliates around the world.
Cisco Master Data Protection Agreement with EU Model Clauses
To protect the free movement of personal data (both Cisco’s and Cisco’s customers’) as needed around the world, we have made available a Master Data Protection Agreement (MDPA) we require from our suppliers and offer to our customers. This MDPA, includes EU Model Clauses which can be inserted where applicable. EU Model Clauses are standardized contractual clauses approved by the EU Commission to be used in agreements by EU-based data controllers to safely (and in compliance with EU requirements) transfer personal data outside of the EU to a non-EU data processor for handling.
At its core, GDPR is about protecting personal data – whether at rest, in use, or in motion. To do so, you need to know what data you are collecting and processing, how you are collecting it, what you are doing with it and why, who is processing it and where, and how you are protecting it.
Know Your Data
Conduct a company-wide inventory and mapping of personal data. Pay special attention to who manages, builds, accesses, uses, corrects, deletes, or returns the data. Knowing what data you are collecting will help you determine your strategy. Knowing who is handling it will make it a part of your culture and establish accountability.
Assess and Manage
Evaluate risks, strengths, and opportunities and establish governance for data usage and access.
Authorize and Secure
Protect personal data using security measures that prevent, detect, and respond to vulnerabilities and data breaches. Anticipate mistakes and negligence, not just bad actors. Build in privacy controls in your technologies and processes to provide the data subject notice and consent, visibility, and control of their personal data.
Create a security and privacy-aware culture by involving everyone in your organization in protecting their own and your customers’ personal data, including reporting data incidents. Threats, threat actors, vulnerabilities, and risk are constantly evolving. Awareness and ongoing updates are essential.
As we countdown to May 25th, 2018 together, check back here for a new video each month until the deadline.
Learn with Tom Mueller, a young start up CEO, as he transcends the different levels of GDPR and what it means for his business and business operations.
Join fictional Start Up CEO, Tom Mueller as he starts his journey in a Cisco Elevator to learn what the General Data Protection Regulation stands for and how it applies to his business. As his journey as ascends Tom will become GDPR informed and educated
Now that Tom knows what GDPR stands for, he learns what he needs to have in place. Preparing for the regulation isn’t just checking off things on a list, it’s about having ongoing accountability and good personal data stewardship. These are elements any organization should have in place with a sturdy business plan as you prepare for May 25th, 2018.
It’s important to build data protection and privacy into your technology right from the start. GDPR goes beyond security and data privacy, it lives on into development. Tom now knows to make it repeatable consistent and always built in, with time and proactive efforts businesses can be GDPR ready.
Moving beyond regulations, GDPR applies as a Business Imperative. With the threat of up to a 4% fine, good governance hygiene practices are more imperative in the business place now more than ever. Tom is shocked to learn the business implications of GDPR but is now one step closer to being efficiently GDPR ready.