Suppliers are subject to an initial review (Initial Due Diligence) whose purpose is to assess their processes and policies in terms of data protection and security, to verify their compliance and to understand their practices. A Data Processing Addendum (DPA) is systematically distributed to suppliers, partners and publishers. The various GDPO, GDPOps and GSO teams work together for these initial reviews and for those that will follow during the duration of the contract, so that the supplier is in compliance with the Groupe’s standards. This work is carried out in cooperation with the Purchasing Department (see Section 4.2.5 of this document).
At Publicis Groupe, information security is everybody’s responsibility. This involves protecting sensitive information, particularly that of clients. The entire security program is led by a dedicated team from the Global Security Office (GSO), which brings together highly experienced professionals whose expertise is certified by international standards such as CISSP, CISA, CISM, CRISC etc. The GSO is responsible for policies, guidelines and standards applied everywhere. The entire program is based on a logic of continuous improvement, with an ongoing assessment of security risks and monitoring of the application of Groupe rules. The work of the GSO is managed and monitored by the Groupe’s top management.
The GSO oversees a number of programs such as compliance, risk management, security or vulnerability testing, technical reviews, service continuity plans and educating employees about these risks. Particular attention is paid to training all teams using different methods (blogs, articles, videos, etc.) in six languages (French, English, Spanish, Chinese, Portuguese, German) to build a culture of security across the entire Groupe. All employees must complete a mandatory module on data and information security each year, in addition to on-demand training such as code security or best practices for creating a highly secure application. The GSO team organizes a quarterly communication recalling best security practices, including regular warnings about dishonest practices.
A team is dedicated to monitoring cybercrime risks (ransom malware, phishing, etc.), and the SOC – Security Office Center – is operational 24/7 and ready to intervene to protect infrastructures, systems, information and data and, if necessary, activate business continuity and disaster recovery plans.
Security issues are centralized and each employee can contact the GSO and its teams directly at: askgso@publicisgroupe.com.
In 2020, the GSO teams were heavily involved in the rapid deployment of working from home, ensuring smooth continuity of systems and services, and remained mobilized in the face of cyberattacks.
Throughout the year, the GSO program is subject to multiple independent external audits conducted by third parties, for obvious compliance reasons, but also at the request of our clients and partners, in order to maintain the best levels of assurance and continue to improve systems from year to year. GSO teams work closely with agency project teams to ensure compliance with client expectations. This means following external certifications such as ISO 27001 or ISO 22301, as well as more specific standards such as Payment Card Industry Data Security Standard (PCIDSS) or Health Insurance Portability Accounting Act (HIPAA) or Service Organization Control (SOC) Trust Criteria. The Groupe’s Information Securities Policies are aligned with ISO 27001 standards and several Groupe entities in India and the United Kingdom are ISO 27001 certified. The GSO monitors these certifications; it works closely with the GDPO and GDPOps teams. (see previous paragraph).
For example: the Publicis Sapient sites in India – Gurgaon, Noida and Bangalore – are ISO 27001 certified; Epsilon also has ISO-27001 certified entities, particularly for business continuity and recovery plans.
One of the key principles is to extend internal security requirements to suppliers and partners. The GSO manages the Risk Management program for security issues, in cooperation with the Procurement Department (see Section 4.2.5 of this document). This involves carrying out formal security risk assessments and reviewing various administrative, technical and physical security controls that go beyond the principles set out in the general policy publicly available in the CSR section of the Groupe’s website. These due diligences also take place during the term of the contract with the relevant suppliers.
Social and environmental justice issues were at the heart of citizens’ aspirations during the challenging health situation of this last year that has put a harsh spotlight on the imbalances in society. More than ever, the expectations of citizen-consumers highlight a desire for more responsible, sustainable and affordable consumption. The issue of price remains central in a context of economic and social crisis.
During 2020, the strategic planning and research teams were very attentive to consumers, and shared a great deal of research and social listening work with their clients.
It is important to Groupe agencies that citizen-consumers are always able to exercise their free will and make informed choices, thanks to transparent communication. Agencies aim to act both as supporters and facilitators of behavioral change, and support their clients with their complex transformation projects.
