The GDPR is upon us! Well, almost…
If your organization serves customers or individuals in the European Union, you’re likely already aware of the General Data Protection Regulation (GDPR). Introduced in response to concerns about data privacy, the GDPR will go into effect on May 25, 2018, requiring responsibility and accountability for every organization that processes the personal data of individuals in the EU. In today’s global economy, that includes the vast majority of enterprises and a large proportion of smaller businesses as well. The extensive requirements of the GDPR—and the high cost of non-compliance—make preparing for this new regulation a top priority for today’s organizations.
GDPR Basics
The first thing to understand about the GDPR is to whom it applies and what it covers. The regulation refers to both “controllers” and “processors” of data—in other words, any organization within the EU and any organization that stores, handles, or processes personal data of EU residents in any way. Personal data is defined quite broadly to include not only information provided by the individual, but also observed data such as online identifiers, browsing history or social media posts; data derived through straightforward processing such as previous transactional history; and data inferred through more complex processing. Given this, companies need to be extremely thoughtful about the handling of any data they collect.
The GDPR is all about accountability and governance. Companies must take steps to minimize the risk of breaches and uphold the protection of personal data, ensuring compliance through documented technical and organizational security measures.
Penalties
If GDPR compliance seems onerous, consider the alternative: organizations that fall short of GDPR requirements can face stiff penalties on a two-tier fine structure. A lack of compliance can bring a penalty of €10 million, or 2 percent of global revenue, whichever is greater. Companies that violate the rights and freedoms of their data subjects—including those that fall victim to hacking and other breaches of personal data—are subject to twice that penalty. Add this to the already-considerable set of risks associated with a data breach.
Incident Response
In addition, under the GDPR, organizations will now have a 72-hour breach notification obligation. This applies to more than just the loss of personal data; any breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to personal data must be disclosed within the mandated time period. This requirement will cause many companies to mature rapidly their data incident response programs.
Additional Rights
Beyond new penalties, security requirements and incident response obligations, the GDPR extends additional rights to individuals in the EU, including the right to be informed about the use of their personal data, the right to have access, to erase and transfer their personal data.
Trust
At its core, the GDPR is about trust. It is about companies handling the personal data of their customers, partners and employees with care and respect. As a vendor that helps the world’s businesses mobilize and secure apps and data, Citrix’ relationship with its customers is built on trust. Citrix views GDPR as an opportunity to reinforce that relationship, and Citrix is relentlessly focused on helping our customers secure all of their data, and supporting our customers’ GDPR compliance programs.
To learn more about how Citrix can aid in your GDPR preparation, please refer to:
- GDPR Compliance: Redefining the Price of Privacy (blog post)
- “Achieve GDPR Readiness with Secure App and Data Delivery” (solution brief)