As a kid, I loved playing hide and seek. You’d close your eyes and count to 50 while everyone scattered and hid. After a scurry of tagging the hiders running to home base, we would yell “Olly olly oxen free!” to get the really good hiders to reveal themselves, so we could start the next game. And that’s not unlike where we are right now with GDPR.
GDPR is coming in less than eight months and it’s time for organizations to come out of hiding and develop a strategy before it’s too late.
The EU’s General Data Protection Regulation (GDPR) will impact any company that does business with EU residents or tracks them for analytics or advertising purposes. In other words, this regulation affects just about every global business. It goes into effect in May 2018 and penalties are harsh (up to 4% of annual global revenue) for companies not found in compliance.
So, how can your company get ready? Here are five ways to identify GDPR risks:
- Prepare a GDPR-compliance strategy: What you can do right now:
Citrix has outlined four key design principles that demonstrate why our solution is best suited to aid in GDPR readiness. Use these principles to build your company’s plan:
- Make sure your apps are centralized in the data center or cloud so that enterprise data is not stored on devices.
- When sensitive data must be distributed, mobilized or utilized offline, make sure it is protected in a secured container.
- Develop context-aware policies based on user identity, device, location, and network connections that give IT granular control.
- Create visibility and analytics that detect potential threats early on to mitigate risk.
According to a recent study by Citrix and Ponemon, while 67 percent of respondents are aware of GDPR, only about half have allocated budgets and started to prepare for these new regulations.
- Perform a data inventory
One of the key principles of GDPR is knowing where you have personally identifiable information and applying controls over where it resides and who has access. Citrix UK recently commissioned research by One Poll to pinpoint the hidden obstacles still facing British businesses when it comes to GDPR compliance. Almost two fifths (38 percent) of respondents acknowledge that they are not ready for the GDPR, either admitting that current control access policies are insufficient or they have “no idea” whether they meet the regulation’s standards.
What you can do right now:
Start with an evaluation and assessment of your data. Understand where and how your data is being stored. Make an inventory of all the data that you hold. Ask the following questions:
- Where does the data reside?
- What is the format of the data?
- Is it centralized or decentralized?
- Why are you holding it?
- How did you get it?
- Do you need to hold it?
- What kind of data are you holding?
- Can you anonymize/pseudonymize the data?
- Can you delete/change the data?
- How do users access the data? Is access encrypted and secured?
- Is it exposed to 3rd parties?
- Use solutions that protect your data by default
GDPR revolutionizes how companies handle personal data. In this data-driven society, companies must shift to a privacy-first strategy. Article 25 of the GDPR requires data protection by design and by default.
What you can do right now:
Move to a content collaboration solution that balances IT security needs with a user-friendly interface. Citrix ShareFile enables security automation based on data and its context— like user, device, location, operations and other relevant data. Key security features include:
- Multilayer Security: Granular controls protect encrypted data at rest (with AES), in transit (with SSL), and during access and use.
- Enterprise Key Management (EKM): Company-owned encryption keys allow organizations to safeguard data within private on-premises and cloud repositories.
- Information Rights Management (IRM): The authentication process follows the file, ensuring secure access to sensitive content only by intended recipients.
- Data Loss Prevention (DLP): DLP helps organizations enforce regulated industry requirements, company governance policies, and security parameters for audit reporting and compliance.
- Evaluate the need for a Data Protection Officer (DPO) or a Data Protection Team
In Article 37 of the GDPR, DPOs must be appointed in cases when:
(a) It is required by national law
(b) The organization is a public authority
(c) Organizations engage in large-scale systematic monitoring
(d) Organizations engage in large -scale processing of sensitive personal data
What you can do right now:
If your company falls into any of the above categories, appoint a DPO.
- Build a Breach Strategy
It’s no secret: company data breaches are on the rise. Article 33 provides that data controllers must notify the proper supervisory authority of a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data” (As defined in Article 4) “ not later than 72 hours after having become aware of it.”
A recent benchmark study independently conducted by the Ponemon Institute and IBM, reported that the average organizational cost of data breach is $3.62 million. And this doesn’t include the costs of bad press, viral social posts or a plummeting stock price.
What you can do right now:
Develop a data breach plan that covers prevention, detection, and reporting
- Prevention: ShareFile can help by providing additional layers of security as mentioned in #3 above: Multilayer Security, DLP, IRM, and DLP, and EKM
- Detection: ShareFile provides IT with comprehensive capabilities to track, log and report on user file access, sync and sharing activity, including the date, type, place, and network address of each user event.
- Investigation and Reporting: ShareFile offers granular reporting capabilities including Complex security/compliance, SSO/AD integration, audit/reporting, IT control, policies and controls and admin rights.
Olly Olly oxen free…time to come out from hiding! Identify your company’s security risks with GDPR…Tag, you’re it.
For more on ShareFile and GDPR, please see
GDPR and Citrix ShareFile White Paper
4 Steps to Getting a Head Start on GDPR eBook
How is Citrix addressing GDPR internally?
At Citrix, our mission is to safeguard our customers’ apps and data. As a trusted partner to the largest enterprises around the globe, Citrix takes the handling and protection of sensitive business information most seriously. Like most global companies, Citrix is doing the work necessary to fulfil the requirements of the GDPR, Citrix has a long record of data privacy and security compliance, and we will aim to be ready for the GDPR. Currently, Citrix participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. See https://www.citrix.com/about/legal/privacy/. For questions about our Privacy program and/or GDPR compliance, please contact privacy@citrix.com. To learn more about our solutions and how we help our customers stay secure and compliant, visit citrix.com/gdpr.
Legal Disclaimer: This document provides a general overview of the EU General Data Protection Regulation (GDPR) and is not intended as and shall not be construed as legal advice. Citrix does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that Customers or Channel Partners are in compliance with any law or regulation. Customers and Channel Partners are responsible for ensuring their own compliance with relevant laws and regulations, including GDPR. Customers and Channel Partners are responsible for interpreting themselves and/or obtaining advice of competent legal counsel with regard to any relevant laws and regulations applicable to them that may affect their operations and any actions they may need to take to comply with such laws and regulations.
