Meraki & GDPR

Cisco Meraki is committed to protecting the data that our customers entrust to our cloud-hosted service. The General Data Protection Regulation (GDPR) introduces specific requirements that apply to companies established in the EU, or located anywhere in the world when processing personal data in connection with offering their goods or services to persons in the EU. For Meraki organizations hosted on the Meraki EU cloud service, Meraki has made improvements to its cloud-hosted service in light of GDPR, introducing dedicated new privacy dashboard tools.

Meraki solutions and tools for the GDPR:

Data access and portability

To honor customers’ requests to export their information, Meraki has built functionality to enable accessibility and export of dashboard data.

The ‘right to be forgotten’

Customers can delete dashboard data, either for themselves, or in response to requests from users of their networks.

Restriction of processing

In the Meraki dashboard, data can be identified, hidden, and removed upon a verified request to restrict processing.

Tracking GDPR-related requests

The dashboard event log now includes functionality for tracking and verifying the status of GDPR requests.

Consent tools

Enhanced splash page functionality allows Meraki customers to provide notice to, and obtain any necessary consents from, users of their networks for the collection, processing, and storage of network user data.

Data hosting visibility

When creating a new account, Meraki customers have the option to select the region where their data will be stored. For verification, the dashboard displays the hosting region on every page.

Further details on the use of these tools can be found at documentation.meraki.com.

Capturing Spirit and Intent

The GDPR goes into great detail and sets new standards for the handling of user data. Understanding the spirit, intent and terminology of the regulation is key to developing new tools and practices, both for Cisco Meraki itself, and for those who provide services using Meraki technology:

Data Controller: the entity responsible for making decisions regarding the processing of personal data that has the direct relationship with the individual data subject (i.e., when handling employee data, Cisco Meraki acts as the Data Controller.)

Data Processor: the natural or legal person processing personal data on behalf of the Data Controller. Importantly, GDPR significantly changes the level of responsibility and accountability of Data Processors. Under GDPR, Data Processors have direct liability and are subject to regulatory enforcement and civil actions. GDPR also imposes statutory obligations related to processing records, data breach notification processes and erasure of personal data. Notably, when providing products to our customers, Cisco Meraki acts primarily as a Data Processor with respect to customer personal data.

Personal Data: any information relating to an identified or identifiable natural person (i.e., the data subject).

Processing: any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Security is foundational to the design of all products and solutions at Meraki. According to the GDPR, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Meraki has invested heavily in building security into every layer of the dashboard. In accordance with requirements of the GDPR around security incident notifications, Meraki will continue to meet its obligations and offer contractual assurances. Some examples are:

  • Out-of-band Control Plane. Only network management information (not user data) flows from devices to the Meraki cloud, dramatically limiting the amount of personal data that is transferred to the Meraki cloud.
  • Networks configured to operate in the EU Cloud ensure that even the network management information is stored only in the European Economic Area (EEA), including failover and back-up. With best practices implemented, customers can prevent the transfer of any personal data outside the EEA.

More information about Meraki’s security and tools can be found here.

Meraki from time to time may partner with third party service providers who contract to provide the same level of data protection and information security that customers can expect from Meraki. Some of these third parties are engaged as “subprocessors” to process customer data, including limited personal data, in connection with providing you Meraki products, including the dashboard.

A list of Meraki’s subprocessors can be found here.

The GDPR provides for several mechanisms to facilitate transfers of personal data outside of the EU. These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country.

Meraki technical architecture and its internal administrative and procedural safeguards assist customers with the design and deployment of cloud-based networking solutions that comply with EU data privacy regulations, even in the absence of the US-EU Safe Harbor Framework.

Certification to the EU-U.S. and Swiss-US Privacy Shield Frameworks and Principles set out by the US Department of Commerce for the collection, use, processing and cross-border transfer of personal data from the EU and Switzerland to the US; under the leadership of Cisco Systems, Inc, approval of Binding Corporate Rules-C; update of the Cisco Meraki Data Processing Addendum incorporating the European Commission’s Standard Contractual Clauses (SCC) to ensure alignment with requirements of the GDPR.

The Meraki service is colocated in tier-1 data centers with certifications such as SAS70 type II / SSAE16 and ISO 27001. These data centers feature state of the art physical and cyber security and highly reliable designs. All Meraki services are replicated across multiple independent data centers, so that customer-facing services fail over rapidly in the event of a catastrophic data center failure.

The Meraki cloud based architecture is designed from the ground up with data protection, privacy, and security in mind. With all new features and product, the Meraki team focuses on these pillars to ensure we provide the best, safest, and most secure solutions to our customers.

More information about privacy can be found here.

The Meraki dashboard contains several logging subsystems that each have unique data retention and export options available. Datasets like event, configuration, and analytics are used for different purposes (business intelligence, operations, risk management, etc.) and are reflected in the native logging capabilities. Data is kept in our systems and backups for no longer than 14 months. This period is set to enable our customers to do year over year reporting.

Below are highlights of data retention periods for different datasets:

Log Dataset
Retention
Traffic Analytics
1 Month
Can be disabled on an organization or per network bases
Enhanced privacy controls available
Summary Reports
6 Months
Location Analytics
Client Heatmap: 6 Months
Client Proximity: 9 Months
Data stored with anonymized client details
Extended retention can be done using an external REST collection server
Event Logs
3 Months
Client Proximity: 9 Months
Extended retention can be achieved using an external syslog server

Meraki maintains security incident management policies and procedures, including detailed security incident escalation procedures. If Meraki becomes aware of any unlawful destruction, loss, alteration or unauthorized disclosure of Customer Data (a “Security Incident”), then Meraki will notify Customer without undue delay and provide Customer with relevant information about the Security Incident, including the type of Customer Data involved, the volume of Customer Data disclosed, the circumstances of the incident, mitigation steps taken, and remedial and preventative action taken.

Further explore how Meraki has implemented tools to support the GDPR in this video.

GDPR Frequently Asked Questions

What is the GDPR?

On May 25, 2018, the General Data Protection Regulation (GDPR) will take effect in the European Union. GDPR governs how both "Data Controllers" and "Data Processors" collect and process "Personal Data" in the EU. Based on well recognized privacy principles of accountability, fairness and transparency, GDPR brings long awaited consistency to data protection in the EU by harmonizing the existing patchwork of national data protection legislation across all EU member countries.

What type of information does the GDPR apply to?

The GDPR applies to all personal data. Personal data means data that can be used to identify an individual.

What rights will individuals have under GDPR?

The GDPR gives expanded protection to individuals and new rights to manage personal data collected about them, including:

  • The right to be informed - Organizations must be transparent in how they are using personal data.
  • The right of access - Individuals have the right to request what information is collected about them and how it is processed.
  • The right of rectification - Individuals have the right to request that their personal data be rectified, or corrected, if it is inaccurate or incomplete.
  • The right to erasure - Also known as 'the right to be forgotten', this right refers to an individual's ability to request deletion or removal of their personal data in certain circumstances.
  • The right to restrict processing - Individuals have a right to request that their data be blocked or suppressed from processing.
  • The right to data portability - Individuals have the right to receive a copy of their personal data for their own use.
  • The right to object - In certain circumstances, individuals are entitled to object to their personal data being used. Such circumstances include use of personal data for direct marketing, historical research or statistical purposes.

Who does the GDPR apply to?

The GDPR applies to all organizations established in the EU and to organizations, whether or not established in the EU, that process personal data of individuals in the EU in connection with either the offering of goods or services or the monitoring of behavior in the EU. Citizenship and residency are irrelevant. “Presence” in the EU is the trigger.

What is the difference between a data processor and data controller?

Data Controller: is responsible for making decisions about the processing of personal data and has a direct relationship with the individual (i.e., when handling employee data, Cisco Meraki acts as the Data Controller.)

Data Processor: processes personal data on behalf of a Data Controller. Importantly, the GDPR significantly changes the level of responsibility and accountability of Data Processors. Under the GDPR, Data Processors have direct liability and are subject to regulatory enforcement and civil actions. The GDPR also imposes statutory obligations related to processing records, data breach notification and erasure of personal data. Notably, when providing products to our customers, Cisco Meraki acts primarily as a Data Processor with respect to personal data collected by customer networks.

How does the GDPR affect policy surrounding data breaches?

The GDPR requires Data Controllers, our customers, to notify relevant Data Protection Authorities (DPAs) within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of impacted data subjects. Data Controllers must also notify impacted data subjects without undue delay when a high risk to rights and freedoms is likely. Data Processors, like Meraki, must notify Data Controllers of a data breach without undue delay.

Meraki maintains security incident management policies and procedures, including detailed security incident escalation procedures. If Meraki becomes aware of any unlawful destruction, loss, alteration or unauthorized disclosure of Customer Data (a “Security Incident”), then Meraki will notify Customer without undue delay and provide Customer with relevant information about the Security Incident, including the type of customer data involved, the volume of customer data disclosed, the circumstances of the incident, mitigation steps taken, and remedial and preventative action taken.

Does Cisco Meraki offer a Data Processing Addendum (DPA)?

Yes. You can view and sign Cisco Meraki’s DPA online. After you sign, just send it to [email protected] for countersignature or complete the fields and sign electronically. We’ll return a copy to you once complete.

What has Cisco Meraki been doing in preparation for the GDPR?

Cisco Meraki is dedicated to helping our customers and partners navigate the GDPR by protecting and respecting personal data, no matter where it is collected or processed, and is committed to compliance with applicable regulatory frameworks in the US and abroad, including the GDPR. Together with the Cisco Privacy Office, Cisco Meraki established a cross-functional team of Product, Engineering, Legal and Privacy experts to ensure that Cisco Meraki is ready to meet the requirements of the GDPR.

Please refer to our documentation for more information about new dashboard features available to our customers in connection with GDPR.

What tools and services does Cisco Meraki offer customers to help them comply with the GDPR?

Cisco Meraki is actively developing new Dashboard features and APIs to help enable all Cisco Meraki customers, as Data Controllers, to respond to data subject requests under the GDPR.

These features and capabilities will be available via the Meraki dashboard without any additional cost to customers with a valid software license.

Please refer to our documentation for more information about the features available to our customers.

How does a company know if they are compliant with the GDPR?

Currently, there is no certification recognized by the European Commission to demonstrate that a company is in compliance with the GDPR. Companies and institutions that are within scope of the GDPR may choose to demonstrate GDPR readiness through third party certifications, contractual commitments regarding data protection practices, and internal policies and procedures. Cisco Meraki is actively monitoring the development of a recognized certification.

Does Meraki make contractual commitments regarding compliance with European data protection laws, including the GDPR?

Yes. Meraki offers its customers a Data Processing Addendum (“DPA​”) incorporating the European Commission’s standard contractual clauses (commonly known as the “model clauses”), in accordance with the GDPR. Meraki’s DPA is available here. The European Commission has affirmed such contractual commitments to be a valid way that European customers may transfer personal data outside the EEA. By making these contractual terms available, Meraki ensures that European customers can continue to confidently deploy scalable, secure networks that comply with applicable regulations across the EEA.

Where can I find more information about how Meraki processes customer data?

Additional information about Meraki’s security and data privacy program can be found here.