Meraki & GDPR
Data access and portability
To honor customers’ requests to export their information, Meraki has built functionality to enable accessibility and export of dashboard data.
The ‘right to be forgotten’
Customers can delete dashboard data, either for themselves, or in response to requests from users of their networks.
Restriction of processing
In the Meraki dashboard, data can be identified, hidden, and removed upon a verified request to restrict processing.
Tracking GDPR-related requests
The dashboard event log now includes functionality for tracking and verifying the status of GDPR requests.
Enhanced splash page functionality allows Meraki customers to provide notice to, and obtain any necessary consents from, users of their networks for the collection, processing, and storage of network user data.
Data hosting visibility
When creating a new account, Meraki customers have the option to select the region where their data will be stored. For verification, the dashboard displays the hosting region on every page.
Data Controller: the entity responsible for making decisions regarding the processing of personal data that has the direct relationship with the individual data subject (i.e., when handling employee data, Cisco Meraki acts as the Data Controller.)
Data Processor: the natural or legal person processing personal data on behalf of the Data Controller. Importantly, GDPR significantly changes the level of responsibility and accountability of Data Processors. Under GDPR, Data Processors have direct liability and are subject to regulatory enforcement and civil actions. GDPR also imposes statutory obligations related to processing records, data breach notification processes and erasure of personal data. Notably, when providing products to our customers, Cisco Meraki acts primarily as a Data Processor with respect to customer personal data.
Personal Data: any information relating to an identified or identifiable natural person (i.e., the data subject).
Processing: any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Security is foundational to the design of all products and solutions at Meraki. According to the GDPR, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Meraki has invested heavily in building security into every layer of the dashboard. In accordance with requirements of the GDPR around security incident notifications, Meraki will continue to meet its obligations and offer contractual assurances. Some examples are:
- Out-of-band Control Plane. Only network management information (not user data) flows from devices to the Meraki cloud, dramatically limiting the amount of personal data that is transferred to the Meraki cloud.
- Networks configured to operate in the EU Cloud ensure that even the network management information is stored only in the European Economic Area (EEA), including failover and back-up. With best practices implemented, customers can prevent the transfer of any personal data outside the EEA.
More information about Meraki’s security and tools can be found here.
Meraki from time to time may partner with third party service providers who contract to provide the same level of data protection and information security that customers can expect from Meraki. Some of these third parties are engaged as “subprocessors” to process customer data, including limited personal data, in connection with providing you Meraki products, including the dashboard.
A list of Meraki’s subprocessors can be found here.
International Data Transfers
The GDPR provides for several mechanisms to facilitate transfers of personal data outside of the European Economic Area (EEA). These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country.
Binding Corporate Rules (BCR)
Cisco’s BCR-C has been approved. Cisco’s data protection and privacy policies, standards, and related documentation (“BCR-C”) have been approved by the European data protection supervisory authorities. This approval demonstrates that Cisco’s Data Protection & Privacy program is aligned with EU requirements, including GDPR. Cisco’s BCR-C sets forth the mandatory, minimum standards for handling EU personal data by Cisco, as a data controller. BCR-C approval serves as a legally valid transfer mechanism and commits Cisco to processing EU personal data in accordance with EU data protection standards anywhere in the world that Cisco operates.
EU-U.S. Data Privacy Framework, the U.K. Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework
Cisco is certified under three frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, processing, and cross-border transfer of personal data from the European Economic Area (EEA), the United Kingdom (and Gibraltar), and Switzerland, respectively. Cisco is committed to managing all personal data received from the EEA, United Kingdom (and Gibraltar), and Switzerland, in compliance with the requirements of the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the U.K. Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). Under EU-U.S. DPF, the U.K. Extension to the EU-U.S. DPF, and Swiss-U.S. DPF Cisco is responsible for the processing of personal data it receives and subsequently transfers to a third party. Cisco complies with the EU-U.S. DPF, the U.K. Extension to the EU-U.S. DPF, and Swiss-U.S. DPF for all onward transfers of personal data from the EEA, the United Kingdom (and Gibraltar), and Switzerland., including the onward transfer liability provisions. To learn more about EU-U.S. DPF, the U.K. Extension to the EU-U.S. DPF, and Swiss-U.S. DPF , visit the U.S. Department of Commerce’s Data Privacy Framework site.
Cisco Master Data Protection Agreement with EU Model Clauses
To protect the free movement of personal data (both Cisco’s and Cisco’s customers’) as needed around the world, we have made available a Master Data Protection Agreement (MDPA) we require from our suppliers and offer to our customers. This MDPA, includes EU Model Clauses which can be inserted where applicable. EU Model Clauses are standardized contractual clauses approved by the EU Commission to be used in agreements by EU-based data controllers to safely (and in compliance with EU requirements) transfer personal data outside of the EU to a non-EU data processor for handling.
The Meraki service is colocated in tier-1 data centers with certifications such as SAS70 type II / SSAE16 and ISO 27001. These data centers feature state of the art physical and cyber security and highly reliable designs. All Meraki services are replicated across multiple independent data centers, so that customer-facing services fail over rapidly in the event of a catastrophic data center failure.
Meraki maintains security incident management policies and procedures, including detailed security incident escalation procedures. If Meraki becomes aware of any unlawful destruction, loss, alteration or unauthorized disclosure of Customer Data (a “Security Incident”), then Meraki will notify Customer without undue delay and provide Customer with relevant information about the Security Incident, including the type of Customer Data involved, the volume of Customer Data disclosed, the circumstances of the incident, mitigation steps taken, and remedial and preventative action taken.
Privacy By Design
The Meraki cloud based architecture is designed from the ground up with data protection, privacy, and security in mind. With all new features and product, the Meraki team focuses on these pillars to ensure we provide the best, safest, and most secure solutions to our customers.
More information about privacy can be found here.
The Meraki dashboard contains several logging subsystems that each have unique data retention and export options available. Datasets like event, configuration, and analytics are used for different purposes (business intelligence, operations, risk management, etc.) and are reflected in the native logging capabilities. Data is kept in our systems and backups for no longer than 14 months. This period is set to enable our customers to do year over year reporting.
Below are highlights of data retention periods for different datasets:
|Traffic Analytics||1 Month
Can be disabled on an organization or per network bases Enhanced privacy controls available
|Summary Reports||6 Months|
|Location Analytics||Client Heatmap: 6 Months
Client Proximity: 9 Months
Data stored with anonymized client details
Extended retention can be done using an external REST collection server
|Event Logs||3 Months
Client Proximity: 9 Months
Extended retention can be achieved using an external syslog server