With the 2018 General Data Protection Regulation (GDPR), Europe marked a big step in strengthening individuals’ privacy rights. While the GDPR aims to bring consistency to the data protection landscape, incorporating well-recognized privacy principles like transparency, fairness, and accountability – operationalizing it has been a challenge.
Even before GDPR enforcement, Cisco, like many companies in the global market had been aligning internal tools, processes, and culture to what has now become a global privacy standard. These efforts were not solely driven by compliance obligations, rather by the underlying principles that privacy is both a business imperative and a fundamental human right.
Today, we proudly announce that Webex by Cisco has been declared adherent to the EU Cloud Code of Conduct (EU Cloud CoC) by SCOPE Europe, an independent monitoring body. This is another example of Cisco’s commitment to privacy and to delivering secure technologies.
Established in May 2021, the EU Cloud CoC is recognized as a significant milestone for verifiable compliance with the GDPR principles by cloud providers and users. Cisco is proud to have been part of this unique public-private partnership for more than 5 years – from ideation, to development, and to adherence of our services. Webex by Cisco – and the EU Cloud Code of Conduct provides more information.
GDPR’s early years – the history behind the EU Cloud CoC
The EU Cloud CoC emerges at a critical moment with a unique ability to provide greater certainty and consistency for global privacy and data protection. Application of the GDPR has been challenged in multiple domains, from wrangling over inconsistent interpretation and enforcement to major changes to international data transfers brought about by the Schrems II ruling, new Standard Contractual Clauses, and Brexit. Developments that have contributed to interpretative ambiguity, disrupting the development, adoption, and rollout of cloud technologies for both providers and users.
Coincidentally, fueled by the COVID-19 pandemic, demand for cloud services has never been higher. While cloud technology has been benefiting society for years, it is far from delivering its full potential, mostly due to a deep lack of trust related to the potential repercussions of a widespread deployment on control over data and knock-on impacts on fundamental rights and freedoms. The question then becomes, how do we build trust in such a deeply conflicted environment?
Policymakers behind the GDPR were not blind to the trust and implementation issues, as the text encourages the development of Codes of Conduct to “contribute to the proper application” of the regulation. It outlines requirements for Codes of Conduct and Certification mechanisms, serving as practical instruments of trust as verified by the independent parties.
The EU Cloud CoC and Webex
The main purpose of the EU Cloud CoC is to solidify the legal requirements of Article 28 of the GDPR for its practical implementation within the cloud market. Article 28 outlines the contractual relationship between cloud users (controllers) and cloud providers (processors), describing the necessary details contracts should contain when processing personal data.
SCOPE Europe subjected Webex to the rigorous set of checks across more than 80 controls – from contractual commitments made in our data protection agreements; over technical measures, including high-encryption standards; to organizational measures that outline how contractual commitments get implemented through concrete enterprise-wide operating models.
The Cisco Secure Development Lifecycle has been central to Cisco’s ability to swiftly meet the code’s requirements as it ensures our cloud offerings have security and privacy standards built in. Our proactive approach has enabled Webex to meet highly recognized international privacy standards such as ISO 27001, ISO 27017, ISO 27018, ISO 27701, SOC 2 Type II and C5 certification.
One of the EU Cloud CoC’s requirements is to document procedures that ensure that the cloud provider only engages sub-processors that can provide sufficient guarantees of compliance with the GDPR through contractual obligations, as well as technical and organizational measures. Cisco didn’t wait for the code to ensure our sub-processors who manage personal data as part of our cloud solutions, implement adequate controls that ensure security and privacy. We subject all of our sub-processors to the Cloud Application Service Provider Review (CASPR), our global assessment process, which not only covers and records information about sub-processor agreements, but also assesses and documents sub-processors’ technical and organizational security posture.
Additionally, the Webex Control Hub offers a unique feature set that provides our customers with greater control. Customers can choose where their data resides, as well as get notified about future introduction of new sub-processors into the Webex service catalogue to exercise their right to object before any sub-processor becomes involved in personal data processing activities.
The EU Cloud CoC controls also focus on assessing how entities belonging to the same group of enterprises enforce regional compliance obligations. Cisco Systems, Inc. conducts business worldwide through direct and indirect subsidiaries, and is the US-based parent of all such subsidiaries, including Cisco International Limited, an entity that drove the EU Cloud CoC adherence process. Cisco subsidiaries follow the corporate policies, including privacy and data protection, established by the parent corporation. With these policies and other mechanisms, such as an Intra Group Personal Data Transfer Agreement, we enforce consistent operations practices and standards related to privacy and data protection across the corporation. The EU Cloud CoC adherence requirements are binding and compulsory for all Cisco Group Companies.
Next steps for Cisco and the EU Cloud CoC
Today, we are celebrating this important milestone with our customers and partners as a major marker along our collaboration journey. Webex is the first collaboration platform that holds adherence to the EU Cloud CoC, reaffirming Cisco’s strong commitment to privacy and trust. The market chooses Cisco and chooses Webex because we consciously choose transparency, fairness, and accountability.
We will not stop with Webex. We are working on scaling specific EU Cloud CoC controls across our cloud portfolio, building them directly into our development process. This “apply-once-support-many” approach enables an organizational-wide baseline for security, privacy, and compliance, helps reduce friction and audit fatigue across the organization and the market, while continuing to build customer trust.
Cisco continues to work with other members of the EU Cloud CoC’s General Assembly to advance mechanisms and practices to demonstrate compliance. We also work to integrate the lessons from our peers into our own processes. We look forward to welcoming more members to the EU Cloud CoC and to seeing many more adherence declarations.
See Webex by Cisco – and the EU Cloud Code of Conduct for more information.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels