Suppliers are subject to an initial due diligence whose purpose is to assess their processes and policies in terms of data protection and security, to verify their compliance and to understand their practices. The various GDPO, GDPOps and GSO teams work together for these initial reviews. Suppliers and partners must also complete a self-assessment of compliance with laws and regulations or even best practices. The contracts contain strict contractual obligations, in particular data protection declarations and guarantees. A Data Processing Addendum (DPA) is systematically distributed to suppliers, partners and publishers. When it comes to sensitive data (HR, financial, health, etc.), in-depth analyses are conducted to verify protection, security and compliance issues. This work is carried out in cooperation with the Procurement Department (see Section 4.2.7 of this document).
The data protection policy is an integral part of the Janus Code of Ethics and publicly available on the Groupe’s website, in the CSR library.
At Publicis Groupe, information security is everybody’s responsibility. This involves protecting sensitive information, particularly that of clients. The entire security program is led by a dedicated team from the Global Security Office (GSO), which brings together highly experienced professionals whose expertise is certified in CISSP, CISA, CISM, CRISC, etc. The GSO is responsible for policies, guidelines and standards applied throughout the Groupe. The entire program is based on a logic of continuous improvement, with an ongoing assessment of security risks and monitoring of the application of Groupe rules. The work of the GSO is managed and monitored by the Groupe’s top management.
The GSO oversees a number of programs such as compliance, risk management, security or vulnerability testing, technical reviews, service continuity plans and educating employees about these risks. Particular attention is paid to training all teams using different methods (blogs, articles, videos, tests, graphics, etc.) in six languages (French, English, Spanish, Chinese, Portuguese, German) to build a culture of security across the entire Groupe. All employees must complete a mandatory module on data and information security each year, in addition to on-demand training such as code security. The GSO team coordinates regular communication with all employees, recalling best security practices and detailing existing threats.
A dedicated team, the SOC (Security Operations Center) monitors cybercrime risks (ransomware, malware, phishing, etc.). The SOC is operational 24/7 and ready to intervene to protect infrastructure, systems, information and data and, where necessary, activate business continuity plans and disaster recovery plans.
85% of GSO teams are ISO 27001 certified. The GSO program is subject to multiple independent external audits throughout the year. These audits are conducted by third parties but also at the request of our clients and partners, in order to maintain the highest levels of assurance and to continue improving the systems year after year. GSO teams work closely with agency project teams to ensure compliance with client expectations. This means following external certifications such as ISO 27001 or ISO 22301, as well as more specific standards such as Payment Card Industry Data Security Standard (PCI DSS) or Health Insurance Portability Accounting Act (HIPAA) or Service Organization Control (SOC) Trust Criteria. Groupe information security policies are aligned with ISO 27001 standards; the Groupe’s largest entities in the United States, India, the United Kingdom and Latin America are ISO 27001 certified. The GSO monitors these certifications. They work closely with the GDPO teams (see previous paragraph). Epsilon’s activities also have ISO 22301 certification for business continuity plans.
Data security issues are centralized and each employee can contact the GSO and its help desk teams directly at: askgso@publicisgroupe.com.
One of the key principles is to extend internal security requirements to suppliers and partners. The GSO manages the Security Risk Management program, in cooperation with the Groupe Procurement Department (see Section 4.2.7 of this document). These are formal security risk assessments, reviewing various administrative, technical and physical security controls.
The Information Systems Security policy is an integral part of the Janus Code of Ethics; it is publicly available in the CSR library of the Groupe’s website.