What is GDPR?
The General Data Protection Regulation (GDPR) was approved and adopted by the EU Parliament in April 2016. It replaces the Data Protection Directive 95/46/EC (Directive). The aim of the GDPR is to reach the same level of high data protection within the EU and to protect all EU citizens from privacy and data breaches in an increasingly data-driven world –that is vastly different from the time in which the Directive was established.
It will enter in force and be directly applicable to all EU member states on 25 May 2018- at which time those organisations in non-compliance will face potential heavy fines (including the UK, which will still be part of the EU).
What is the scope of GDPR?
GDPR applies if the data controller, organisation that collects data, or processor, organisation that processes data on behalf of data controller, or the data subject (person) is based in the EU. This applies to all organisations, regardless of whether they are based in the EU or not.
It also applies to organisations based outside the European Union if they collect or process personal data of EU residents. According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, and posts on social networking websites, medical information, or a computer’s IP address.”
Why does this matter?
Under GDPR, companies that are found in breach can be fined up to 4% of annual global turnover or €20 Million –whichever is greater). There is a tiered approach to fines e.g. a company can be fined up to €10 Million or 2% (whichever is greater) for not having their records in order (Article 28), not notifying the supervising authority, data subject about a breach, or not conducting a privacy impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘cloud services’ will not be exempt from GDPR enforcement.
What do organisations need to do?
GDPR applies to any company that processes personal data regardless of number of employees. Small to medium businesses (SMB) or companies with less than 250 employees are allowed some exceptions under GDPR. For example, SMBs could be relieved of maintaining a record of processes (Article 30) (http://www.privacy-regulation.eu/en/30.htm)
Complying with GDPR using ShareFile
At ShareFile, we are here to help guide you as your organisation shifts to meet the needs of the GDPR. The table below illustrates how ShareFile can help organizations to achieve compliance with various clauses of GDPR.
|GDPR Regulations||How ShareFile Helps|
|Article 25: Data Protection by design and by default||• Personal data access can be restricted with sharing policies.
• Access to Personal Data are further protected by authentication including 2 Step Verification and SAML integration, password policies, mobile security, and network security capabilities
|Article 32: Security of processing||• All data within ShareFile including Personal Data are encrypted at rest.|
FAQ (for more information, please visit: http://www.eugdpr.org/)
- When does GDPR start?
The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a directive, it does not require any enabling legislation to be passed by government; meaning it will be in force May 2018.
- What does Brexit mean for GDPR?
The UK will not have completed their withdrawal from the EU when the GDPR goes into effect, therefore the regulation will still apply to the UK.
The UK Government has indicated it will implement an equivalent or alternative legal mechanisms.
- What is a Controller vs. a Processor?
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity, which processes personal data on behalf of the controller.
- What is a Data Protection Officer (DPO)?
DPOs must be appointed in the case of: (a) it is required by national law; (b) the organization is a public authority, (c) organizations that engage in large scale systematic monitoring or (d) organizations that engage in large scale processing of sensitive personal data ( 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
Other Ways ShareFile addresses Privacy in the EU
- EU-US Privacy Shield Certification
Citrix participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. Citrix has committed to subjecting all personal data received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable principles.
- Model Clauses
Citrix ShareFile supports the Data Processing Addendum (DPA) incorporating EU approved Model Clauses, also known as standard contractual clauses. These clauses were authored by the European Commission.
The privacy practices of Citrix ShareFile have been assessed by TrustArc for compliance with Enterprise Privacy Certification
How is Citrix addressing GDPR internally?
At Citrix, our mission is to safeguard our customers’ apps and data. As a trusted partner to the largest enterprises around the globe, Citrix takes the handling and protection of sensitive business information most seriously. Like most global companies, Citrix is doing the work necessary to fulfill the requirements of the GDPR. Citrix has a long record of data privacy and security compliance, and we will aim to be ready for the GDPR. Currently, Citrix participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework, see: https://www.citrix.com/about/legal/privacy/. For questions about our Privacy program and/or GDPR compliance, please contact firstname.lastname@example.org. . Visit citrix.com/secure to learn more about our solutions and how we help our customers stay secure and compliant.
Legal Disclaimer: This document provides a general overview of the EU General Data Protection Regulation (GDPR) and is not intended as and shall not be construed as legal advice. Citrix does not provide legal, accounting, or auditing advice, represent, or warrant that its services or products will ensure that Customers or Channel Partners are in compliance with any law or regulation. Customers and Channel Partners are responsible for ensuring their own compliance with relevant laws and regulations, including GDPR. Customers and Channel Partners are responsible for interpreting themselves and/or obtaining advice of competent legal counsel with regard to any relevant laws and regulations applicable to them that may affect their operations and any actions they may need to take to comply with such laws and regulations.
Copyright © 2017 Citrix Systems, Inc. All rights reserved. Citrix, the Citrix logo, and ShareFile are trademarks of Citrix Systems, Inc. and/or its subsidiaries, and may be registered in the U.S. Patent and Trademark Office and in other countries. All other marks herein are the property of their respective owners.