A few facts help frame a discussion of the General Data Protection Regulation (the GDPR), the new EU privacy law that will go into effect on May 25:
- According to a recent McKinsey & Company report, global data flows grew 45x between 2005 and 2014 and had a greater impact on the growth of GDP than the sale of physical goods over the same period.
- By 2020, the number of connected devices is expected to reach 50 billion. We’re creating and sharing more data than ever before, and the volume of data, rate of growth, and number of third-parties with whom we share our personal information should only increase with time.
- According to Privacy Rights Clearinghouse, there have been more than 8 thousand publicly disclosed breaches since 2005, which have resulted in the disclosure of over 10 billion records.
It was in this context — the rapid proliferation of data, data movement, and data loss — that the European Union passed the General Data Protection Regulation (GDPR). And so it is no mistake that the GDPR focuses on accountability and operational control, including the concept of “privacy by design” (taking privacy into account when designing systems that process data) and the implementation of core technical and organizational security controls for the protection of personal information. The GDPR will replace the EU’s Data Protection Directive, which went into effect in 1995, three years before Google and nearly a decade before Facebook.
The GDPR’s Focus on Accountability
According to a 2017 survey from PwC, 77 percent of companies “plan to allocate $1 million or more on GDPR readiness and compliance efforts — with 68% saying they will invest between $1 million and $10 million and 9% expecting to spend over $10 million to address GDPR obligations.”
Companies that do business in the EU — and companies that process EU personal information — will need to complete several steps to ensure they meet GDPR standards. These include:
- Implementing “reasonable security,” such as limiting the ability of unauthorized persons to access data through things like default accounts and passwords.
- Ensuring that third parties with access to personal data meet core data processing requirements, including security controls and flow-downs of those requirements to their sub-processors, and that their data processing contracts reflect GDPR requirements.
- Understanding how products and systems work, where data is being stored or processed, and where it’s being exported (outside the company and/or outside the region).
- Monitoring and overseeing systems throughout their lifecycle, including patching known vulnerabilities in a timely manner.
Assuring that systems are secure will be a key part of any GDPR compliance project. Companies must ensure that access and authentication are well controlled, that data is stored and moved in a secure manner, and that they have an adequate record of data movement and flows.
Companies will also need to consider the data they collect, how it is used, and where it is transferred and stored. When evaluating the data lifecycle, companies should look at the contracts they have in place with third-party vendors to ensure that the vendors are properly securing data and that they are controlling access, use and retention appropriately.
Citrix has been preparing for the GDPR
Citrix has spent the last year preparing for the GDPR. Among others, we have taken a deep look at our products and internal systems, with a focus on fair information practices and strong security controls. We have developed and released comprehensive security standards for all Citrix services, explaining to customers how we treat your data. And we have prepared and released a data protection addendum incorporating EU Standard Contractual Clauses for those customers requiring flow-through terms on EU data handling and transfers. We recognize that accountability is a key part of any cloud offering, and we continue to invest in privacy and security assurance and validation.
Citrix can help you prepare for the GDPR
Security is core to our focus at Citrix. That focus allows our customers the flexibility and choice to allow their employees, partners and contractors to securely access any application, from any device from any cloud and on any network. Our products and services can help you implement stronger identity and access policies, identify and document where your data is at all times through comprehensive logs and flag any improper attempts at access. Here are just a few areas where our products can help you log and keep track of your data globally:
- Citrix Cloud centrally and professionally manages security for your hosted environments. By housing data and applications in the cloud, you can more efficiently manage security patches and software updates to ensure your environment is up-to-date.
- XenApp and XenDesktop maintain data where you can control who accesses it and enables a single source of truth for monitoring, logging and reporting.
- NetScaler helps you manage the network layer, including maintaining strong security controls into and out of your network.
As noted above, we offer detailed security terms and data protection terms designed to help you meet your “flow-down” security obligations under the GDPR.
More to Come
In the coming weeks, we will provide more information about how our products help customers meet GDPR’s challenges, including secure access and authentication controls, secure network connections, and greater control over data flows and dissemination outside the data center.