GDPR and Citrix ShareFile
The General Data Protection Regulation (GDPR) was approved and adopted by the EU Parliament in April 2016. It replaces the Data Protection Directive 95/46/EC (Directive).The aim of the GDPR is to reach the same level of high data protection within the EU and to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the Directive was established.
It will enter in force and be directly applicable to all EU member states on 25 May 2018—at which time those organisations in non-compliance will face potential heavy fines (including the UK which will still be part of the EU).
What is the Scope of the GDPR?
GDPR applies if the data controller (organisation that collects data) or processor (organisation that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. This applies to all organisations, regardless of whether they are based in the EU or not.
It also applies to organisations based outside the European Union if they collect or process personal data of EU residents. According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."
Why does this matter?
Under GDPR, companies that are found in breach can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). There is a tiered approach to fines e.g. a company can be fined up to €10 Million or 2% (whichever is greater) for not having their records in order (Article 28), not notifying the supervising authority and data subject about a breach or not conducting a privacy impact assessment. It is important to note that these rules apply to both controllers and processors — meaning 'cloud services' will not be exempt from GDPR enforcement.
While 67% of respondents are aware of GDPR, only half of organisationsrepresented in this research have allocated budget and started to prepare forthese new regulations.*
What Do Organisations need to do?
GDPR applies to any company that processes personal data regardless of number of employees. Small to medium businesses (SMB) or companies with less than 250 employees are allowed some exceptions under GDPR. For example, SMBs could be relieved of maintaining a record of processes (Article 30) (http://www.privacy-regulation.eu/en/30.htm)
Organizations can get educated on GDPR through the main site (http://www.eugdpr.org/) and the specific articles (http://www.privacy-regulation.eu/en/index.htm)
Complying with GDPR using ShareFile
At ShareFile, we are here to help guide you as your organisation shifts to meet the needs of the GDPR. The table below illustrates how ShareFile can help organisations to achieve compliance with various clauses of GDPR.
|GDPR Articles||How ShareFile Helps CompaniesAddress GDPR|
|Article 25: Data Protection by design andby default||
Personal data access can be restricted with sharing policies.
Access to Personal Data are further protected by authentication including 2 Step Verification and SAML integration, password policies, mobile security, and network security capabilities.
|Article 32: Security of processing||All data within ShareFile including Personal Data are encrypted at rest.
Of those respondents who are aware ofthe GDPR, the biggest concern is thepotential fine of up to 20 million euros, or 2 - 4% of annual worldwide revenues, whichever is greater.*
Other Ways ShareFile addresses Privacy
EU-US Privacy Shield Certification
Citrix participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. Citrix has committed to subjecting all personal data received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable principles.
Citrix ShareFile supports the Data Processing Addendum (DPA) incorporating EU approved Model Clauses (also known as standard contractual clauses). These clauses were authored by the European Commission.
The privacy practices of Citrix ShareFile have been assessed by TrustArc for compliance with Enterprise Privacy Certification.
When does GDPR start?
The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a directive it does not require any enabling legislation to be passed by government; meaning it will be in force 25 May 2018.
What does Brexit mean for GDPR?
The UK will not have completed their withdrawal from the EU when the GDPR goes into effect, therefore the regulation will still apply to the UK. The UK Government has indicated it will implement an equivalent or alternative legal mechanisms.
What is a Controller vs a Processor?
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.What is a Data Protection Officers (DPO)?DPOs must be appointed in the case of: (a) it is required by national law, (b) the organisation is a public authority, (c) organisations that engage in large scale systematic monitoring, or (d) organisations that engage in large scale processing of sensitive personal data (Article. 37). If your organisation doesn’t fall into one of these categories, then you do not need to appoint a DPO.
74% of respondents say complying with the GDPR will have a significant andnegative impact on their organisations, such as large potential fines and increased territorial reach of the regulations.*
At Citrix, our mission is to safeguard our customers’ apps and data. As a trusted partner to the largest enterprises around the globe, Citrix takes the handling and protection of sensitive business information most seriously. Like most global companies, Citrix is doing the work necessary to fulfill the requirements of the GDPR, Citrix has a long record of data privacy and security compliance, and we will aim to be ready for the GDPR. Currently, Citrix participates in and has certified its compliance with the EU-U.S.
Privacy Shield Framework. See https://www.citrix.com/about/legal/privacy/.
For questions about our Privacy program and/or GDPR compliance, please firstname.lastname@example.org.
To learn more about our solutions and how we help our customers stay secure and compliant, visit citrix.com/secure.
* The Need for a New IT Security Architecture: United State. Citrix-sponsored survey. Independently conducted by Ponemon Institute LLC. May 2017.