What is Cisco doing to be GDPR-ready? And how can we help.
Cisco are getting ready for GDPR in the following ways.
Our industry-leading data protection program includes:
Policies and Standards – Developing standards and processes to define the Personal Data lifecycle and help ensure data transparency, accuracy, accessibility, completeness, security, and consistency.
Identification, Classification and Mapping – Inventorying and mapping our data and identifying what we have, what we are doing with it, where it is, where it flows, and who has access to it. We classify data based on risk and sensitivity in context. That risk is data-led/ person-led, while we do care about avoiding fines, we believe focusing on the outcome and purpose of processing leads to a better and more holistic risk profile.
Data Risk and Organizational Maturity – Focusing on understanding risks and conducting threat modeling for unique data sets we process. Assessing the risks, strengths, and opportunities to understand maturity against industry benchmarks and, where those do not yet exist, we design the benchmark.
Incident Response – Implementing an enterprise-wide, data incident response process that is integrated with our business continuity processes.
Oversight and Enforcement – Deploying a centralized data protection governance model that oversees, monitors, and enforces adherence to policies and standards, including third-party controls, vendor oversight, monitoring, audit, and remediation.
Privacy and Security by Design or Default – Integrating data protection, privacy, and security requirements into product design and development methodologies via Cisco Secure Development Lifecycle. Embedding privacy requirements in the development cycle from ideation to launch, to validation. In short, we use privacy engineering techniques to evaluate and build better offerings to turn privacy by design policies into actions and tangible improvements.
International Transfer - We are certified under the EU-US and Swiss-US Privacy Shield frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, processing, and cross-border transfer of personal data from the EU and Switzerland to the United States. Cisco is also in the process of achieving approvals for our Binding Corporate Rules across the EU.In addition, we have a publicly available Cloud Services EU Data Processing Addendum for cloud offerings that includes Standard Contractual Clauses to allow the transfer of personal data from the EU to the rest of the world.
Third-party Audit and Certifications - Reinforcing our commitment to protect Cisco and our customers, we have obtained several third-party certifications for our products and services. For example, Cisco WebEx is ISO 27001 and SSAE-16, SOC2 certified, and we have successfully completed the ISO 27001 certification across our entire services business worldwide. With these certifications, our customers can be confident that we are protecting their data. What you can do to get ready for GDPR.
To fully protect personal data, you need to know what data you are collecting, how you are collecting it, what you are doing with it, who is processing it and where, and how you are protecting it – whether at rest, in use, or in motion.
Here are some recommendations to help you get ready.
Map – Conduct a company-wide inventory and mapping of personal data. Pay special attention to the “who”: Who manages? Who builds? Who accesses? Who corrects? Who deletes or returns? The “what” will determine your strategy. The “who” will make it a part of your culture and make data protection a part of your accountability profile.
Assess and Manage – Evaluate risks, strengths, and opportunities and establish governance for data usage and access.
Secure – Protect personal data with security measures capable of preventing, detecting, and responding to vulnerabilities and data breaches. Secure the negligent and mistaken as well as the “bad guys”.
Raise awareness – Create a security and privacy-aware culture by involving everyone in your organization in protecting their own and your customers’ personal data, including reporting data breaches. Data protection obligations are as pervasive and constant as currencies that flow through and across the networks. Awareness and fresh updates are essential.