You are on page 1of 2

Datasheet | MX

General Data Protection Regulation

What is GDPR?
On May 25, 2018, the General Data Protection Regulation (GDPR) will take effect in the European Union. GDPR governs how both “Data
Controllers” and “Data Processors” collect and process “Personal Data” in the EU. Based on well recognized privacy principles of accountability,
fairness and transparency, GDPR brings long awaited consistency to data protection in the EU by harmonizing the existing patchwork of
national data protection legislation across all EU member countries.

CISCO MERAKI’S COMMITMENT TO GDPR READINESS J


Cisco Meraki is dedicated to helping our customers and partners navigate GDPR by protecting and respecting personal data, no matter
where it is collected or processed, and is committed to compliance with applicable regulatory frameworks in the US and abroad, including
GDPR. Together with the Cisco Privacy Office, Cisco Meraki established a cross-functional team of Product, Engineering, Legal and Privacy
experts to ensure that Cisco Meraki is ready to meet GDPR requirements when they come into force. Below are key highlights of how Cisco
Meraki is preparing for the GDPR enforcement date of May 25, 2018:

• Policies and Standards: further development of standards and processes to define the personal data lifecycle and help ensure data
transparency, accuracy, accessibility, completeness, security, and consistency across the Cisco Meraki platform.

• Data Inventory and Mapping: completion of an assessment of the Cisco Meraki product architecture known as a data protection
impact assessment (DPIA).

• Incident Response: ongoing review and update of Cisco Meraki’s incident response process, including improved coordination with
cross-functional teams from the Privacy, Security, Legal, Engineering and Product groups at Cisco Meraki and its parent company,
Cisco Systems, Inc.

• Data Transfer Mechanisms: certification to the EU-U.S. and Swiss-US Privacy Shield Frameworks and Principles set out by the US
Department of Commerce for the collection, use, processing and cross-border transfer of personal data from the EU and Switzerland to
the US (current); under the leadership of Cisco Systems, Inc, approval of Binding Corporate Rules across the EU (in process); update of
the Cisco Meraki Data Processing Addendum incorporating the European Commission’s Standard Contractual Clauses (SCC) to ensure
alignment with GDPR requirements (in process).
• Third Party Audit and Certifications: maintenance of the Cisco Meraki Dashboard Payment Card Industry (PCI) Level 1 certification
and data center certifications, such as SAS70 type II / SSAE16 and ISO 27001.

• Privacy by Design: continued integration of data protection, privacy, and security principles into product design and development
processes at all stages of the product development lifecycle.

• Data Protection and Privacy Awareness for Employees: continued employee training and awareness regarding data protection and
privacy through company-wide interactive campaigns, training courses, external certifications and online collaboration and
communication resources.

• Dashboard Feature Development: development of new Dashboard features to help enable Cisco Meraki customers, as Data Controllers,
to respond to data subject requests under GDPR. Such features will be available via Dashboard without any additional cost to customers
with valid software licenses in place.
KEY FEATURES OF GDPR
Greater Territorial Reach: GDPR applies to Data Controllers and Data Processors that are established in the EU or that, regardless
of location, collect and/or process personal data of data subjects present in the EU.

Material Fines: Data Controllers and Data Processors may face maximum fines under GDPR for egregious mishandling of personal data
ranging from 2% to 4% of their annual global revenue.

One-Stop Shop Structure: companies subject to GDPR are accountable to the data protection authority (DPA) of the country of their main
establishment in the EU (in cooperation with other relevant DPAs). As Cisco Meraki’s parent company, Cisco Systems, Inc., has established
EU headquarters in Amsterdam, Cisco Meraki’s “main establishment” is the Netherlands and the Dutch DPA is Cisco Meraki’s lead authority.

Enhanced Rights for Data Subjects:

• Data Portability: depending on the product or service and data involved, data subjects may have a right to request data that they supplied
to Data Controllers be given to them in commonly used electronic format.
• Consent: consent by data subjects to collection and processing of personal data must be fully informed, freely given and revocable at
any time. In addition, the sale of goods or services cannot be contingent on consent.
• Right to Erasure: data subjects have the right to request deletion of their data where there are no legitimate grounds for retaining it.

Increased Company Accountability

• Data Protection Impact Assessments: companies that collect and process high risk data sets will be required to conduct (and document)
a data protection impact assessment (DPIA). The DPIA evaluates the potential risk and impact personal data processing activities may
have on the data subject’s fundamental rights and freedoms and informs how to appropriately manage that risk.

• Privacy by Design/Default: privacy issues must be considered and addressed at the design phase of products, and privacy driven
functionality must be designed into data driven technology. To the extent privacy options are available, the default setting should be the
more privacy protective option.

• Breach Notification: GDPR requires Data Controllers to notify relevant Data Protection Authorities (DPAs) within 72 hours of becoming
aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of impacted data subjects.
Data Controllers must also notify impacted data subjects without undue delay when a high risk to rights and freedoms is likely.
Data Processors must notify Data Controllers of a data breach without undue delay.

Data Processor and Data Controller Liability: GDPR imposes new liability and accountability obligations directly on Data Processors.
In addition, Data Controllers will be liable for the misconduct of the Data Processors they select, unless they can prove that they were
not in any way at fault under GDPR.

Data Protection Officer (DPO): companies should (and in some cases may be required to) appoint a Data Protection Officer (DPO)
and a team that is accountable for data protection efforts and activities.

ADDITIONAL CISCO MERAKI PRIVACY RESOURCES


Cisco Meraki EU Cloud
Cisco Meraki EU Cloud Configuration Guide
Cisco Meraki EU Data Processing Addendum
Cisco Meraki Privacy Shield Certification
Cisco Meraki Technical and Organizational Measures
Cisco Meraki Trust Page
Cisco Meraki Out of Band Architecture
Cisco Meraki EU Privacy and Data Protection Compliance
Cisco Meraki PCI Compliance
Cisco Meraki Security Tools and Best Practices for Administrators

https://meraki.cisco.com/trust#gdpr

2 Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com

You might also like