General Data Protection Regulation (GDPR) is a new EU law on data protection and privacy for all European residents that will go into effect May 25, 2018. GDPR is the most significant update to data privacy laws in 20 years. More about GDPR can be found here: https://www.eugdpr.org/, but the critical thing for companies to recognize is that if you’re dealing with any data belonging to EU residents, regardless of location, you need to comply with the law.
GDPR is complex, so I will narrow the scope to networking solutions (there are banking, social networking, healthcare and many other segments that have their jobs cut out for them to solve and are not part of this blog).
First, let’s break down the players.
Vendors of networking equipment (such as Ruckus Networks) usually process and store many types of data within the products. That equipment provides control to buyers (Ruckus customers) who own and decide what to do with the data. The data belongs to the data subjects, that is, the EU residents in the scope of GDPR.
These data subjects can be easily extended to people around the world. Everyone should have the same rights to their data. Ruckus intends to look at how the GDPR can be a guide for data protection for all residents globally.
User data is anything that is considered private and unique to the user. It can be grouped into various degrees of sensitivity. For instance, your date of birth, social security number, credit card, phone number, blood type, bank account and medical history are considered highly sensitive private data while the MAC address of a mobile device or laptop and the amount of bandwidth you consume in a public Wi-Fi could be seen as less sensitive.
Regardless of the levels of sensitivity to data, users have the right to their data and can demand what a venue owner (organizations that have deployed Ruckus products) knows and how that venue owner is using their data. Users also have the right to request that their data be forgotten. The user will rarely interact with the manufacturer (such as Ruckus) to demand visibility or right to forget as they likely won’t know who those vendors are. They will engage the venue owner, such as the mall operator or the enterprise IT or security personnel, to exercise their GDPR rights. Thus, Ruckus’ plans are based on the fact that we will be empowering our partners and customers with GDPR disclosures, reports and tools so they can cater to the needs of the data subjects (for now, EU residents) and be GDPR compliant.
Ruckus took a structured approach to addressing GDPR compliance by inviting a 3rd party privacy team to guide us through our GDPR efforts. Ruckus products such as Ruckus Cloud Wi-Fi, Cloudpath Enrollment System, Smart Positioning Technolgy (SPoT), SmartCell Insight (SCI), and SmartZone controllers and services were studied on the following elements:
- What data are the products processing and storing that can be considered private, such as personally identifiable information (PII)?
- Who controls this data? Which if any 3rd parties have access to this data?
- How long is this data retained?
- Are we making it simple and easy for our partners and customers to understand, by communicating this information to them through privacy documents, contracts and training?
- Is there an easy way to retrieve this data if asked by a data subject? Is this built into our products?
- Is there an easy way to delete this data if requested by data subject? Is this tool built into our products?
- If there is a breach of data stored at Ruckus or in the product hosted by Ruckus’ customer, can Ruckus inform the affected parties of the extent of the breach and remedies, within the GDPR-defined time constraints?
- Is Ruckus taking measures to keep data privacy requirements a top priority in current and future product designs?
Answers to the above questions are addressed on a product by product basis, and may involve sharing roadmap through non-disclosure agreements. Reach out to your local Ruckus sales or Ruckus reseller. In general, the below provides an understanding of how to look at Ruckus products and GDPR compliance.
Ruckus products as well as Ruckus services (such as Ruckus Cloud Wi-Fi hosted service) are data processors, and in all cases, Ruckus’s customers are the “controllers” of that data. Ruckus does NOT share user data from any of Ruckus’s products, with any 3rd parties. The “controllers” (venue owners) can decide to give access to APIs to 3rd parties for data sharing, but that is entirely decided by the venue owner and is not a Ruckus decision.
The user data processed and stored by various Ruckus products are essentially of mid- to low-significance by GDPR classification – such as MAC and IP addresses of the users’ devices, their signal strengths, network association and disassociation time events, bandwidth consumed, applications used, the APs they associated with (location), any URLs they visited (if customer purchased a newly offered software license called URL filtering), etc. Ruckus does NOT harvest this data for its own use, nor does it share any of this data with any 3rd party or agency for any purposes.
The vast majority of Ruckus products are owned and operated by venue owners in their own premises and they control who they share the data with. It is important that venue owners keep the details of data access logs – who accesses this data, what they are doing with that data, etc. We recommend all our customers and partners provide full disclosure of their data-sharing models with data subjects (EU residents) upon request.
This is what you need to know in a summary form what we are working on:
- Ruckus does not share PII processed by our products to anyone – only our customers have the ability to do so
- Ruckus may use some data to improve product and service efficiency as well as supportability
- Ruckus is documenting the details of what data we process and how the customer has control over it
- Adding tools to our products through roadmap updates that our customers can use to provide PII visibility to data subjects and the ability to delete that data
- We are improving product-design processes to involve data privacy elements
- We will adhere to GDPR’s requirement to communicate data breaches to affected parties in a timely manner
In general, we are confident that we are addressing GDPR requirements in a timely manner and look forward to continuing to ensure better privacy for all citizens, worldwide. For any questions on GDPR and Ruckus products, reach out to Ruckus Reseller or your local Ruckus Sales representatives.