In 2024, Publicis Groupe was assessed by CyberVadis and remains in the top 1% of best-performing companies in terms of security and data protection (score for 2024: 971/1000), thanks to the joint work between the GDPO and the GSO.
A summary of data protection policies can be found in Janus and is publicly available on the Groupe’s website, in the CSR library. Employees can directly contact the GDPO and its teams: privacyofficer@publicisgroupe.com. [S4-1-15]
Suppliers are subject to an initial due diligence whose purpose is to assess their processes and policies in terms of data protection and security, to verify their compliance and to understand their practices. The various GDPO, GDPOps and GSO teams work together for these initial reviews. Suppliers and partners must also complete a self- assessment of compliance with laws and best practices. The contracts contain strict contractual obligations, in particular data protection declarations and guarantees. A Data Processing Addendum (DPA) is systematically distributed to suppliers, partners and publishers. This work is carried out in cooperation with the Procurement Department (see Sections 4.3.9 & 4.3.10). [S4-31 (a)]
The Privacy-by-Design policy incorporates issues related to the use of artificial intelligence (AI) in processes and various systems, so that responsibilities are clear, with rigorous oversight and strong governance. The regulatory environment around AI is constantly evolving, with many countries having introduced specific laws for AI, as has Europe with the AI Act. The Groupe has taken a number of measures to ensure that employees are trained in these new uses and the resulting challenges. The legal teams pay particular attention to the terms contained in contracts with both clients and suppliers.
At Publicis Groupe, information security is everybody’s responsibility. This involves protecting sensitive information, particularly that of clients. The entire security program is led by a dedicated team from the Global Security Office (GSO), which brings together highly experienced professionals whose expertise is certified, for example: CISSP, CISA, CISM and CRISC. The GSO is responsible for security policies, guidelines and standards applied throughout the Groupe. The security program is based on a logic of continuous improvement, with an ongoing assessment of security risks and monitoring the application of security policies. The work of the GSO is managed and monitored by the Groupe’s Top Management.
The GSO oversees several programs such as security compliance, risk management, security and vulnerability testing, technical reviews, continuity plans and educating employees about these security risks. Particular attention is paid to training all teams using different communication methods (blogs, articles, videos, tests, graphics, etc.) with content available in six languages (French, English, Spanish, Chinese, Portuguese, German) to build a culture of security across the entire Groupe.
All employees must complete mandatory training on data and information security each year upon joining the Groupe, followed by annual updates. In addition, other training on demand, depending on the responsibilities and on the security of the code. The GSO team coordinates regular communication with all employees, recalling best security practices and highlighting existing threats.
The Security Operations Center (SOC) monitors cybercrime risks (ransomware, malware, phishing). It is operational 24/7 and ready to intervene to protect infrastructure, systems, information and data and, where necessary, activate continuity plans (business continuity plan and disaster recovery plan).
[S4-4-31 (a)]
The GSO is subject to multiple independent external audits throughout the year. These audits are conducted by third parties and sometimes at the request of our clients and partners, in order to maintain the highest levels of assurance and to drive a continuous improvement process. The GSO teams work closely with the agency project teams to ensure compliance with client specifications. This means following external certifications such as ISO 27001 or ISO 22301, Payment Card Industry data Security Standard (PCI DSS), the Service Organization Control (SOC) Trust Criteria. Groupe Information Securities Policies are aligned with ISO 27001 standards for the most critical entities. The GSO ensures the monitoring of these ISO 27001 certifications for entities, agencies and departments where it is imperative, such as shared service centers, with IT services, general services, HR and security. The GSO prepares external audits to ensure that standards are followed. Some entities are ISO 22301-certified for specific business continuity plans. Groupe employees can contact the GSO and the help desk teams: askgso@publicisgroupe.com.
Suppliers working with the Groupe must meet specific security criteria, which are an integral part of the contract. The GSO manages the Supplier Security Risk Management program, with the Groupe Procurement Department (see Sections 4.3.9 & 4.3.10). The GSO conducts formal security risk assessments of suppliers to review various administrative, technical and physical security controls. These assessments are regular in order to protect the Groupe’s information systems. [S4-4-31 (a)]
