The GSO is subject to multiple independent external audits throughout the year, on the request of clients and partners. These audits make it possible to maintain the highest levels of assurance and conduct a process of continuous improvement. GSO teams work closely with agency project teams to ensure compliance with client specifications, and with external certifications such as ISO 27001 or ISO 22301, Payment Card Industry Data Security Standard (PCI DSS), Service Organization Control (SOC) Trust Criteria. Groupe information security policies are aligned with ISO 27001 standards for essential internal services, such as IT, HR and data security. Some entities are ISO 22301-certified for specific business continuity plans.
Groupe employees can contact the GSO and the help desk teams: askgso@publicisgroupe.com.
Suppliers working with the Groupe must meet specific security criteria, which are an integral part of the contract. The GSO, with the Groupe Procurement Department, manages the Vendor Security Risk Management program. This is based on formal supplier security risk assessments, to assess administrative, technical and physical security controls to protect the Groupe’s information systems. [ESRS 2 MDR-A]
As artificial intelligence (AI) continues to drive business innovation, the Groupe is committed to ensuring its development responsibly and securely. The adoption of AI must be guided by security and compliance rules, as well as ethical best practices. The GSO assesses the security of AI service providers, conducts security architecture reviews, and conducts security testing. The objective is to have an efficient and protected AI integration, placing security at the heart of innovation.
The Information Systems Security policy is an integral part of the Janus Code of Conduct and Ethics; it is publicly available in the CSR library of the Groupe’s website. [ESRS 2 MDR-P]
The whistleblowing system, with the external Ethics Concerns platform at the following address: https://publicis.whispli.com/lp/ethicsconcerns ,makes it possible to collect all types of reports, whether internal or external. All whistleblowing reports received are processed if they are sufficiently precise and substantiated. Processing is carried out by the Compliance Department under the supervision of the Secretary General. Investigations are carried out by the Internal Audit Department or the Legal Department, using the appropriate resources depending on the subject in question while maintaining strict confidentiality. Whistleblower communications are protected by confidentiality, and any form of retaliation against a whistleblower acting in good faith is strictly prohibited. Each case is closely monitored to ensure that appropriate actions have been taken and corrective measures applied (see Section 4.4.2.1.). [S4-3-25 (b), (c) & (d), S4-3-26 & 27]
Respect for the confidentiality of client data and projects is a fundamental value. It is required from 100% of employees, in addition to the obligations undertaken by them in their employment contract with the Groupe. Teams may have access to sensitive information; they are now routinely asked to sign specific confidentiality agreements (NDAs – non-disclosure agreements). Intellectual property, whatever the type of creation or output, is also protected. Experts in trademark law or copyright or database law within the legal teams must be consulted well upstream of projects. Data protection and security specialists must also be involved in all projects to ensure that these issues are addressed strictly.
As a creative company, Publicis Groupe has always been committed to respecting and protecting intellectual property, an increasingly complex topic to manage in a digital and ultra-connected world and with images created through artificial intelligence. It is in this spirit that the PMX Digital team has set up an exclusive contract with WIPO (World Intellectual Property Organization) to identify and exclude sites that violate intellectual property. Respect for intellectual property is one of the key principles set out in the mandatory Generative AI Ethics and Responsible Use training.
