Universal Registration Document 2021

Chapter 4. Corporate social responsibility – Non-financial performance

3) With suppliers and partners

Suppliers are subject to an initial due diligence whose purpose is to assess their processes and policies in terms of data protection and security, to verify their compliance and to understand their practices. The various GDPO, GDPOps and GSO teams work together for these initial reviews. Suppliers and partners must also complete a self-assessment of compliance with laws and regulations or best practices. The contracts contain strict contractual obligations, in particular data protection declarations and guarantees. A Data Processing Addendum (DPA) is systematically distributed to suppliers, partners and publishers. When it comes to sensitive data (HR, financial, health, etc.), in-depth analyzes are conducted to verify protection, security and compliance issues.

This work is carried out in cooperation with the Purchasing Department (see Section 4.2.7 of this document).

4.2.3.3 Data security: Role of the Global Security Office (GSO)
1) Governance, role and mission

At Publicis Groupe, information security is everybody’s responsibility. This involves protecting sensitive information, particularly that of clients. The entire security program is led by a dedicated team from the Global Security Office (GSO), which brings together highly experienced professionals whose expertise is certified in CISSP, CISA, CISM, CRISC, etc. The GSO is responsible for policies, guidelines and standards applied everywhere. The entire program is based on a logic of continuous improvement, with an ongoing assessment of security risks and monitoring of the application of Groupe rules. The work of the GSO is managed and monitored by the Groupe’s top management.

The GSO oversees a number of programs such as compliance, risk management, security or vulnerability testing, technical reviews, service continuity plans and educating employees about these risks. Particular attention is paid to training all teams using different methods (blogs, articles, videos, etc.) in six languages (French, English, Spanish, Chinese, Portuguese, German) to build a culture of security across the entire Groupe. All employees must complete a mandatory module on data and information security each year, in addition to on-demand training, such as code security or best practices for creating a highly secure application. The GSO team organizes a quarterly communication recalling best security practices, including regular warnings about dishonest practices.

A team is dedicated to monitoring cybercrime risks (ransom malware, phishing, etc.), and the SOC – Security Operations Center – is operational 24/7 and ready to intervene to protect infrastructures, systems, information and data and, if necessary, activate business continuity and disaster recovery plans.

In 2020 and 2021, the GSO teams were heavily involved in the rapid deployment of and support for working from home, ensuring smooth continuity of systems and services, and remained mobilized in the face of cyberattacks.

2) Certifications and compliance

Throughout the year, the GSO program is subject to multiple independent external audits conducted by third parties, for obvious compliance reasons, but also at the request of our clients and partners, in order to maintain the highest level of assurance and continue to improve systems from year to year. GSO teams work closely with agency project teams to ensure compliance with client expectations. This means following external certifications such as ISO 27001 or ISO 22301, as well as more specific standards such as Payment Card Industry Data Security Standard (PCIDSS) or Health Insurance Portability Accounting Act (HIPAA) or Service Organization Control (SOC) Trust Criteria. The Groupe’s Information Securities Policies are aligned with ISO 27001 standards and several Groupe entities in the United States, India and the United Kingdom are ISO 27001 certified. The GSO monitors these certifications; it works closely with the GDPO and GDPOps teams (see previous paragraph). Epsilon’s activities also have ISO 22301 certification for business continuity plans.

Data security issues are centralized and each employee can contact the GSO and its teams directly at: askgso@publicisgroupe.com.

3) With suppliers and partners

One of the key principles is to extend internal security requirements to suppliers and partners. The GSO manages the Security Risk Management program, in cooperation with the Procurement Department (see Section 4.2.7 of this document). This involves carrying out formal security risk assessments and reviewing various administrative, technical and physical security controls that go beyond the principles set out in the general policy publicly available in the CSR section of the Groupe’s website. These due diligences also take place during the term of the contract with the relevant suppliers.