Cisco Spark and GDPR. Thomas Flambeaux. Collaboration Consulting Solution Engineer, Security and Compliance. Cisco Connect 2018 Copenhagen April 12th

Similar documents
Changing times in Swiss Data Privacy: new opportunities? Microsoft Security Day 27 April 2017 Clara-Ann Gordon

Cisco Webex Messenger

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

Privacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

City, University of London Institutional Repository. This version of the publication may differ from the final published version.

Google Cloud & the General Data Protection Regulation (GDPR)

Magento GDPR Frequently Asked Questions

Adtech and GDPR What to consider when choosing your partner

PS Mailing Services Ltd Data Protection Policy May 2018

EU General Data Protection Regulation (GDPR) Achieving compliance

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

Protecting your data. EY s approach to data privacy and information security

Smart Software Licensing tools and Smart Account Management Privacy DataSheet

Motorola Mobility Binding Corporate Rules (BCRs)

EU GDPR: The General Data Protection Regulation

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

GDPR: A QUICK OVERVIEW

General Data Protection Regulation (GDPR)

Data Processor Agreement

GDPR compliance: some basics & practical to do list

SCHOOL SUPPLIERS. What schools should be asking!

Emsi Privacy Shield Policy

General Data Protection Regulation (GDPR) The impact of doing business in Asia

IMPACT OF INTERNATIONAL PRIVACY REGULATIONS. Michelle Caswell, Coalfire Julia Jacobson, K&L Gates

Five Ways that Privacy Shield is Different from Safe Harbor and Five Simple Steps Companies Can Take to Prepare for Certification

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Saba Hosted Customer Privacy Policy

DATA PROTECTION BY DESIGN

Our agenda. The basics

The Role of the Data Protection Officer

DATA PROCESSING TERMS

Cybersecurity Considerations for GDPR

Privacy Shield Policy

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

Data Protection Policy

Data Processing Agreement

DATA PROTECTION POLICY THE HOLST GROUP

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

Data Management and Security in the GDPR Era

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Getting ready for GDPR. Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

Workday s Robust Privacy Program

Introductory guide to data sharing. lewissilkin.com

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

Developments in Global Data Protection & Transfer: How They Impact Third-Party Contracts

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

IT MANAGEMENT AND THE GDPR: THE VMWARE PERSPECTIVE

Element Finance Solutions Ltd Data Protection Policy

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Thanks for using Dropbox! Here we describe how we collect, use and handle your information when

Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018

Data Processing Agreement for Oracle Cloud Services

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

PRIVACY ACROSS THE POND

Platform Privacy Policy (Tier 2)

Data Protection Policy

DATA PROCESSING AGREEMENT

European Union Agency for Network and Information Security

Vistra International Expansion Limited PRIVACY NOTICE

Martijn Loderus. Merritt Maxim. Principal Analyst Forrester. Director & Global Practice Partner for Advisory Consulting Janrain

EU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations. For private circulation only.

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

ngenius Products in a GDPR Compliant Environment

CNPD Course: Data Protection Basics

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

CNPD Course: Data Protection Basics

How to work your cloud around the UK ICO s Data Protection Act

Countdown to GDPR. Impact on the Security Ecosystem and How to Prepare

Data Protection in Switzerland Update Following the Safe Harbor Decision. 21 October 2015 / 6 February 2016 Christian Wyss

GDPR and the Privacy Shield

Creative Funding Solutions Limited Data Protection Policy

CEM Benchmarking Privacy Policy

VISTRA ZURICH AG - PRIVACY NOTICE

Arkadin Data protection & privacy white paper. Version May 2018

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679

Swissmeda Data Policy and Privacy Statement (Referred to as Swissmeda Data Policy )

PROJECT BACKGROUND AND RATIONALE

GDPR is coming in less than 2 months Are you ready?

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

PRIVACY POLICY OF THE WEB SITE

PRIVACY STATEMENT +41 (0) Rue du Rhone , Martigny, Switzerland.

VISTRA (CYPRUS) LTD. PRIVACY NOTICE

General Data Protection Regulation (GDPR) Key Facts & FAQ s

The Simple Guide to GDPR Data Protection: Considerations for and File Sharing

General Data Protection Regulation (GDPR) FAQ

Staying GDPR Ready with MaaS360. Ankur Acharya Offering Manager, IBM MaaS360

Data Processing Agreement DPA

The types of personal information we collect and hold

Privacy Policy of

A practical guide to using ScheduleOnce in a GDPR compliant manner

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Data Processing Clauses

EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS

Regulating Cyber: the UK s plans for the NIS Directive

Technology's role in General Data Protection Regulation Dr. Prokopios Drogkaris Officer in NIS SECPRE 2017 Oslo

A Modern European Data Protection Framework

Transcription:

Cisco Spark and GDPR Thomas Flambeaux Collaboration Consulting Solution Engineer, Security and Compliance Cisco Connect 2018 Copenhagen April 12th 2015 Cisco and/or its affiliates. All rights reserved. 1

Once upon a time.

GDPR to prevent such abuses

General Data Protection Regulation (GDPR) May 25 2018 Compliance Mandate Repeals 95 directive and implementations Not a certification! No obligation to store data in EU Individual Rights Potential Fines Board Level issue! 99 Articles of Law

Terminology 1/2 Regulations have binding legal force throughout every Member State and enter into force on a set date in all the Member States. Directive describes results to be achieved but each Member State is free to decide how to transpose into national laws. Controller: Entity that determines the purposes and means of the processing of personal data, ultimately responsible for compliance Processor: engaged by controller on his behalf to process data on given purpose (storage, encryption..), collection, accessing, recording,... or destruction Data subject : Individual Controller/Processor get personal data from

Terminology 2/2 DPO : Data protection officer DPA : Data protection authority, public entity enforcing data protection laws List of DPA in EU Working Party 29 :founded in 1996, members from members DPA and EU commission, advise states-promotes legislations in states, opinions to commission, recommendation to public, guidelines (PIA, data portability)

Personal Data Any information identifying (directly or indirectly) a natural person,also known as Personal identifiable information (PII) GDPR redefines personal data broadly (picture, geolocalisation ) Companies might have their own categories (administrative, customer, support data) but personal data across those categories European court of Justice rules IP address as PII Purpose, minimization, retention period, security for sensitive PIIs

GDPR At A Glance Harmonization Broader Scope Increased Obligations Stronger Individual Rights Increased Enforcement Harmonized rules One-stop shop Risk-based approach Less admin burden Controller, processor obligations Extraterritorial application Wider data type definitions Accountability Record of processing Privacy impact assessment Privacy by design Right to erasure Data portability Explicit consent Parental consent Regulatory fines Individual and class action Breach notification Processor obligations

Cross-border Transfers (1/3) EU data protection law prohibits transfers of personal data outside EU (28) + 3 European Economic space countries (Norway, Lichtenstein, Iceland), except if adequate level of personal data protection USA (Privacy Shield), New Zealand, Argentina, Switzerland (Privacy Shield). apply, complete list EU-USA: Privacy Shield Replaced Safe Harbor, declared illegal by ECJ, Max Schrems case Declaration at US Department of Commerce that can take legal actions Must publish privacy policy Annual review (last October) Quadrature du net questions complaint mechanism, CNNum and DPAs questions data access by US authorities, EC fine with safeguards in PPD-28

Cross border transfers (2/3) Not on the list or not trusting Privacy shield Option 1: Model clauses (also known as Standard Contractual clauses:scc), contain: Set of obligations for all parties : Cisco WebEx TAC (Processor) signed Model Clauses Description of personal data, with all data type specified Cisco cloud EU Data Processing Addendum Description of organizational security Templates from European Union commission If using own templates then DPA needs to approve

Cross border transfers (3/3) Option 2: Binding Corporate Rules (BCR) Internal rules (such as a Code of Conduct) adopted by multinational group to transfer personal data within the same corporate group to entities located in countries with(out) an adequate level of protection. To be approved by DPA, considered as the highest standard a company can achieve Data Protection Authorities in Europe have approved Cisco s BCRs: Authorities have reviewed our Global Privacy Policies and Procedures and determined that Cisco protects Customer and HR personal data in accordance with EU requirements (namely GDPR) wherever they flow within our large global organization (including outside of the EU, obviously). Usually a very lengthy process (average timeframe is 2 years) which requires close partnership with many DPAs across Europe, achieved in less than 8 months.

Expected evolutions and challenges? WP29 will translate into European data protection board and give advice and guidance for EU-wide codes and certification Art 40-43 Brexit? See latest UK legislation draft consistent with GDPR, over time on the list? Is intellectual property personal data? Clarifications on data breaches Also what about conflicting local laws.?

Conflicting Local laws FRANCE: HDS: Hébergeur de données de santé Health personal data can only be hosted by certified companies,not necessarly stored in France Law in 2002,certification approach since 2016,ISO 27001-27018 based DENMARK Authorization from Danish DPA to transfer sensitive data abroad Persondataloven 2.0 into force by may GDPR encompasses Health PII (sensitive), and what about having a second opinion oversea? Those should go away with GDPR

Cisco Spark compliance

PII governance Cisco Trust center How does Cisco securely transfer and store data outside of the EU? All GDPR mechanisms approved What personal information is collected, for how long, what purpose? Privacy data sheets

Minimization. Retention policy Administrator defined Retention Policy Default Retention Period : Indefinite (Subject to storage limits) Configurable Retention Period : 1 to 120 months https://admin.ciscospark.com/settings

PII security Identity Obfuscation Spark logically and physically separates functional components within the cloud Micro services architecture Key Mgmt Service Data Center B Identity Service Data Center A Identity Services holding real user Identity. All the other components only use 128-bit Universally Unique Identifier (UUID), no real identity information transits, or is stored elsewhere in the cloud. Content Server Data Center D Indexing Service Compliance Service Data Center E Data Center C

Data leakage Strong authentication No additional set of credentials Moving away from passwords Multi-factor authentication Restricted set of devices Restricted access from corporate network To IDP 2 1 Login joe@acme.com 3 Login 4 Yes/No

Data leakage Event APIs API enables polling for events and content that enables organizations to monitor and correct user behavior, preventing the loss of sensitive data Cisco Spark Events API Third party DLP or CASB Integrations Third-party vendor software Corrective actions policies Delete content Alert user / admin

Data Loss Prevention and Archival integrations (Cisco Advanced Services offering) (In-progress).

Data leakage Blocking Messaging to other companies

Data leakage Corporate accounts only Blocking non corporate accounts while on the corporate network Reduce risk of data loss Requires Pro pack Can only use whitelisted domains

Data leakage Customized Web Client Idle timeout Administrator will be allowed to define two settings for idle timeout: When user is in company network When user is in public network Customer can choose to keep the timeout period for public network smaller than the one for in network. The web client will keep an idle timeout check and require a re-login if the user has been idle longer than the setting.

Consent Customized Terms of services Customers need to customize their ToS, which their employee or user needs to accept before proceeding to use Spark app. The Enterprise admin can upload a Terms of Service document from the management interface. All spark clients (Web, Mobile, Desktop) will require a user to accept the ToS the first time they try to use the Spark. Once the user clicks on Accept, they can proceed with using Spark. The ToS will always be available to view on all clients.

Cisco and GDPR Privacy Chief Officer blog on GDPR Appointed EMEAR Data Protection & Privacy Officer Privacy shield, Model clauses, BCRs Privacy: part of CSDL,Dedicated Data Protection Program team (DPP) CSIRT to communicate on breaches Cisco services business worldwide ISO27001 Cisco WebEx ISO27001 and SOC2 type 2, Cisco Spark ISO27001 and SOC 2 type 1 Cisco Security (Solutions and services) to assist customer reaching readiness

Thank you.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback