Cisco Spark and GDPR Thomas Flambeaux Collaboration Consulting Solution Engineer, Security and Compliance Cisco Connect 2018 Copenhagen April 12th 2015 Cisco and/or its affiliates. All rights reserved. 1
Once upon a time.
GDPR to prevent such abuses
General Data Protection Regulation (GDPR) May 25 2018 Compliance Mandate Repeals 95 directive and implementations Not a certification! No obligation to store data in EU Individual Rights Potential Fines Board Level issue! 99 Articles of Law
Terminology 1/2 Regulations have binding legal force throughout every Member State and enter into force on a set date in all the Member States. Directive describes results to be achieved but each Member State is free to decide how to transpose into national laws. Controller: Entity that determines the purposes and means of the processing of personal data, ultimately responsible for compliance Processor: engaged by controller on his behalf to process data on given purpose (storage, encryption..), collection, accessing, recording,... or destruction Data subject : Individual Controller/Processor get personal data from
Terminology 2/2 DPO : Data protection officer DPA : Data protection authority, public entity enforcing data protection laws List of DPA in EU Working Party 29 :founded in 1996, members from members DPA and EU commission, advise states-promotes legislations in states, opinions to commission, recommendation to public, guidelines (PIA, data portability)
Personal Data Any information identifying (directly or indirectly) a natural person,also known as Personal identifiable information (PII) GDPR redefines personal data broadly (picture, geolocalisation ) Companies might have their own categories (administrative, customer, support data) but personal data across those categories European court of Justice rules IP address as PII Purpose, minimization, retention period, security for sensitive PIIs
GDPR At A Glance Harmonization Broader Scope Increased Obligations Stronger Individual Rights Increased Enforcement Harmonized rules One-stop shop Risk-based approach Less admin burden Controller, processor obligations Extraterritorial application Wider data type definitions Accountability Record of processing Privacy impact assessment Privacy by design Right to erasure Data portability Explicit consent Parental consent Regulatory fines Individual and class action Breach notification Processor obligations
Cross-border Transfers (1/3) EU data protection law prohibits transfers of personal data outside EU (28) + 3 European Economic space countries (Norway, Lichtenstein, Iceland), except if adequate level of personal data protection USA (Privacy Shield), New Zealand, Argentina, Switzerland (Privacy Shield). apply, complete list EU-USA: Privacy Shield Replaced Safe Harbor, declared illegal by ECJ, Max Schrems case Declaration at US Department of Commerce that can take legal actions Must publish privacy policy Annual review (last October) Quadrature du net questions complaint mechanism, CNNum and DPAs questions data access by US authorities, EC fine with safeguards in PPD-28
Cross border transfers (2/3) Not on the list or not trusting Privacy shield Option 1: Model clauses (also known as Standard Contractual clauses:scc), contain: Set of obligations for all parties : Cisco WebEx TAC (Processor) signed Model Clauses Description of personal data, with all data type specified Cisco cloud EU Data Processing Addendum Description of organizational security Templates from European Union commission If using own templates then DPA needs to approve
Cross border transfers (3/3) Option 2: Binding Corporate Rules (BCR) Internal rules (such as a Code of Conduct) adopted by multinational group to transfer personal data within the same corporate group to entities located in countries with(out) an adequate level of protection. To be approved by DPA, considered as the highest standard a company can achieve Data Protection Authorities in Europe have approved Cisco s BCRs: Authorities have reviewed our Global Privacy Policies and Procedures and determined that Cisco protects Customer and HR personal data in accordance with EU requirements (namely GDPR) wherever they flow within our large global organization (including outside of the EU, obviously). Usually a very lengthy process (average timeframe is 2 years) which requires close partnership with many DPAs across Europe, achieved in less than 8 months.
Expected evolutions and challenges? WP29 will translate into European data protection board and give advice and guidance for EU-wide codes and certification Art 40-43 Brexit? See latest UK legislation draft consistent with GDPR, over time on the list? Is intellectual property personal data? Clarifications on data breaches Also what about conflicting local laws.?
Conflicting Local laws FRANCE: HDS: Hébergeur de données de santé Health personal data can only be hosted by certified companies,not necessarly stored in France Law in 2002,certification approach since 2016,ISO 27001-27018 based DENMARK Authorization from Danish DPA to transfer sensitive data abroad Persondataloven 2.0 into force by may GDPR encompasses Health PII (sensitive), and what about having a second opinion oversea? Those should go away with GDPR
Cisco Spark compliance
PII governance Cisco Trust center How does Cisco securely transfer and store data outside of the EU? All GDPR mechanisms approved What personal information is collected, for how long, what purpose? Privacy data sheets
Minimization. Retention policy Administrator defined Retention Policy Default Retention Period : Indefinite (Subject to storage limits) Configurable Retention Period : 1 to 120 months https://admin.ciscospark.com/settings
PII security Identity Obfuscation Spark logically and physically separates functional components within the cloud Micro services architecture Key Mgmt Service Data Center B Identity Service Data Center A Identity Services holding real user Identity. All the other components only use 128-bit Universally Unique Identifier (UUID), no real identity information transits, or is stored elsewhere in the cloud. Content Server Data Center D Indexing Service Compliance Service Data Center E Data Center C
Data leakage Strong authentication No additional set of credentials Moving away from passwords Multi-factor authentication Restricted set of devices Restricted access from corporate network To IDP 2 1 Login joe@acme.com 3 Login 4 Yes/No
Data leakage Event APIs API enables polling for events and content that enables organizations to monitor and correct user behavior, preventing the loss of sensitive data Cisco Spark Events API Third party DLP or CASB Integrations Third-party vendor software Corrective actions policies Delete content Alert user / admin
Data Loss Prevention and Archival integrations (Cisco Advanced Services offering) (In-progress).
Data leakage Blocking Messaging to other companies
Data leakage Corporate accounts only Blocking non corporate accounts while on the corporate network Reduce risk of data loss Requires Pro pack Can only use whitelisted domains
Data leakage Customized Web Client Idle timeout Administrator will be allowed to define two settings for idle timeout: When user is in company network When user is in public network Customer can choose to keep the timeout period for public network smaller than the one for in network. The web client will keep an idle timeout check and require a re-login if the user has been idle longer than the setting.
Consent Customized Terms of services Customers need to customize their ToS, which their employee or user needs to accept before proceeding to use Spark app. The Enterprise admin can upload a Terms of Service document from the management interface. All spark clients (Web, Mobile, Desktop) will require a user to accept the ToS the first time they try to use the Spark. Once the user clicks on Accept, they can proceed with using Spark. The ToS will always be available to view on all clients.
Cisco and GDPR Privacy Chief Officer blog on GDPR Appointed EMEAR Data Protection & Privacy Officer Privacy shield, Model clauses, BCRs Privacy: part of CSDL,Dedicated Data Protection Program team (DPP) CSIRT to communicate on breaches Cisco services business worldwide ISO27001 Cisco WebEx ISO27001 and SOC2 type 2, Cisco Spark ISO27001 and SOC 2 type 1 Cisco Security (Solutions and services) to assist customer reaching readiness
Thank you.