What is GDPR?
Mission: The mother of data protection laws. Now, with teeth!
Impact: Potentially global. Do you have customers from the EU? Then you might be affected by GDPR, no matter where you’re located.
Fines: Up to EUR €20 million or 4% of the global annual revenue, whichever is higher. Fines can apply to non-EU companies as well.
Time to comply: 350 days and counting.
On 25 May 2018, one of the most important regulations related to data and privacy will become mandatory for all EU companies and companies that are collecting or processing data of European residents. This date does not mark the beginning of transitional phase, it is not the initial assessment period and is not a date when national governments will vote for it. Unlike a directive, this regulation will be effectively immediately across all the EU members.
Under GDPR, individuals can request to get access to their data or request the data removal (right to be forgotten – article 17). Companies are responsible for making sure that their systems and technology are designed securely, ensure that data processing is limited to what is necessary for the purpose for which the data was collected, access to personal data is granted on a need-to-know basis (data protection by design and by default – article 25) and are future proof (state of the art – articles 25 and 32). Companies need to notify data protection authorities within 72 hours about any security breach and describe the nature of the breach (articles 33 and 34). And these are just few examples from the GDPR regulation.
At first glance, it seems that GDPR is an internal European matter, but it has a global reach and affects every company in the world handling the data of European residents or operating in Europe.
GDPR can affect every company of every size. GDPR covers not only traditionally sensitive information, such as social security number or passport ID, but also much more common information such as email address, photos, name and even IP address. And finally, GDPR doesn’t provide a lot of guidance, just a list of principles. It is important to understand that accountability is one of the core concepts of GDPR – meaning that you are held accountable in case of a security breach, but GDPR is not going to provide you with exact guidance or a checklist to follow. Being GDPR compliant is a continuous process with no detailed checklist to follow.
We are used to saying that IT solutions can be cheap, developed fast or designed to be secure – and you can choose any two of those. With GDPR, secure is a mandatory requirement for any IT solution that contains data about individuals. Security is no longer an ad hoc process, it needs to become our new lifestyle.
How GDPR changes traditional IT decision making.
GDPR, at its core, is about the ability of organization to manage data. Data accessed by applications and operated by people, working from various devices and from different networks.
Challenges of GDPR
I like what GDPR is trying to achieve – in the new world of IT, it is time to forget about old rules and try to solve the problem of privacy in early stages. At the same time, as an IT architect, I see a lot of challenges in implementing the GDPR principles. I could write a lengthy paper describing all the challenges, but I’ve decided to summarize them in a few points.
- Intended audience – GDPR doesn’t differentiate between different market segments or company sizes. GDPR has been designed to solve privacy challenges caused by – amongst others – social networks big data and cloud service providers. However, it applies to traditional enterprises, as well. While reading the GDPR regulation, I had this picture on my mind the whole time. It will be much easier for companies that are using innovative software solutions and architecture to adapt to GDPR guidelines.
GDPR – startups vs enterprise. Source: turnoff.us
- Data types – Principles described in GDPR are very much needed and make a lot of sense, but at the same time, they apply to all data sources, including old legacy systems that nobody wants to touch; there is no budget in IT to upgrade them and business relies on them. Stop thinking about the simple mailing list that your company maintains for marketing campaigns and start thinking about all the other “do not touch” systems where you store data about customers or employees.To give you an example, if you use an Excel spreadsheet to store all contact details and you send it to your team by email, if requested, you must be able to not only remove a contact details of specific person from your copy, but also make sure that it’s removed from all copies of email and all backups and disaster recovery datacenters. And don’t forget that GDPR applies to physical mediums, like paper.
- Lack of skills and technologies – This is topic for a much longer blog post and I’ll try to keep it short here. IT security has a big problem with workforce shortage and this is only going to get worse in the upcoming years – to better understand the problem, I can recommend to read whitepaper “Mitigating the Cybersecurity Skills Shortage” from Cisco. This is one of the reasons why machine learning and artificial intelligence are so popular in IT security nowadays.GDPR will require 28,000 data protection officers (DPOs) in Europe and US alone. But in my experience, it’s mostly technical skills that are missing. Average salary for lead software security engineer is a whopping $233,333. There is a Black Friday-like frenzy for security talents on the market today.
Even if you’ve already started working on GDPR and assessed your applications and data, can you hire enough security experts to help you with conversion of hundreds or thousands of your applications in the remaining 11 months? The answer is probably no, therefore it’s important to look for solutions that can be used with existing architectures and cover broad range of applications.
- Motivation – In the past, many of privacy regulations were toothless – and for many companies it was easier to pay tens of thousands in fines, rather than investing millions to fix the problem. That’s not the case with GDPR. The fine can be up to EUR €20 million OR 4% of the worldwide (!) revenue (not profit!) of the company.I’ve done a quick calculation and for the top 3 largest European companies — based on revenue (Shell, BP and Total) — the maximum penalty could be up to $9-$19 billion, while currently (in UK) the maximum fine has been around $650,000. As you can see, there were few significant zeroes added to the motivation to comply with the regulation.
Keep calm and prepare for the GDPR
Making a company GDPR-compliant (as if such a thing exists) seems like a herculean task and it’s hard to imagine where to begin. The core of the problem for most companies though can be described as a challenge of fragmented data, which is a problem that Citrix has been addressing for a long time, including the latest solution brief about GDPR. The solution, therefore, should focus on making the data more structured, centralized, and managed. Every good source material I’ve read about GDPR agrees that data fragmentation is the core issue that companies need to face.
The first step you should take is evaluation and assessment of your data. Understand where and how your data is being stored. Make an inventory of all the data that you hold. What is the format of the data? Is it centralized or decentralized? Why are you holding it? How did you get it? Do you need/want to hold it? Can you anonymize/pseudonymize the data? How do users access the data? Is access encrypted and secured? Is it exposed to 3rd parties?
After initial assessment, the next stage should be data sources segmentation. The goal here is to better understand the data sources your company is using and to be able to divide them into different categories based on their sensitivity and potential impact. Whenever possible, you want to reduce the number of systems where data is being stored – it is much easier to delete or correct a record in one location, rather than getting it fixed on thousands of endpoints that might not be centrally managed. For remaining data sources, the goal is to organize them into groups to find remediation that can be applied to more of them at once, instead of trying to find a unique fix for each of them.
Once you are done with the data segmentation, the next step is to solve the problematic data sources. With the limited time available, it is important to look for solutions that can help with a wide range of applications, rather than trying to fix applications one by one. While the ideal goal is to completely change the way your company operates, that is not going to happen in 11 months. A more realistic goal is to have a clear vision of where your company should go with regards to privacy and data handling and have a solution that can assist with this transformation.
One portal to rule them all
User training is potentially one of the bottlenecks that could prevent you from quickly adopting the required changes. It is important to have a unified access point to all applications and data that will not change as you start changing your backend systems.
Your goal should be a solution that can help you transition from legacy applications to a SaaS/web, modern native and/or mobile applications with minimal impact on the user experience. Citrix Workspace and NetScaler Unified Gateway can both help with this transition, providing a single place for users to find all their different application types, while you can start modernizing your backend systems and migrate the users to newer apps.
Bring apps and data back to datacenters
Traditional Windows applications where each of the endpoints has access to the back-end data, or (worst case scenario) each of the endpoints stores the data locally, are probably going to cause you most problems. I’m a huge fan of using Citrix XenApp or Citrix XenDesktop to segment and secure these applications. You can create multiple separated networks where XenApp acts as a secure connector between users and applications and only TLS port is available. With this approach, you can apply different security measures to different network segments – for example use tighter security control and more active security components for sensitive data, such as hypervisor introspection or context-aware security. This approach is one of the simplest ways to centralize access to the sensitive data – without the requirement to rewrite or redesign your existing applications.
Example of network segmentation with XenApp
Using application remoting is a great solution for these applications. While it was traditionally used to simplify management through centralization or improve user experience by remoting, the security aspect of Citrix XenApp and XenDesktop has become more and more important in recent years. When under time constraints, the isolation of a problematic application into a locked-down environment can often be the best solution while you work on remediating or replacing the application in the longer term.
Imagine an application that is using Microsoft Access on a fileshare. How could you add multi-factor authentication, enforce session recordings, add access control conditions, or externally audit access to that application without making a serious investment? With application remoting, all of this is readily available.
One of the common problems with segmentation has been management complexity. The more segments you have, the more images and systems you have to manage and the slower your response time is, including your ability to patch everything in time. One of our latest acquisitions provides a great answer to that problem – with Citrix Application Layering and layered images, you can implement a single image solution that can span across multiple application segments. With layered images, there are no additional active components involved in the running of the environment (streaming servers or controllers), therefore it is great solution for management of isolated environments.
Using Citrix Application Layer to manage segmented environments
What about mobile users?
Citrix XenApp and Citrix XenDesktop are great solutions to bring almost all your applications and data back to datacenters (and it’s been our message for a few decades already). However, there are many cases when data needs to be decentralized. When you cannot keep all the data in a central location, you should at least try to keep the data under control using centralized management. This can be done on multiple levels – you can use Citrix ShareFile to centrally manage the data or use Citrix XenMobile to manage the mobile applications and distributed devices.
This is especially important for BYO devices. Corporate data and applications can be containerized on mobile devices, including BYO smartphones and tablets, and wiped remotely by IT to protect customer data if the device is lost or stolen. Any user-owned content a device may contain is kept separate from business content and is unaffected by the remote wipe capability. Additionally, through the Citrix micro-VPN capabilities, data in transit is encrypted.
What about data without applications?
Emails, physical papers and other mediums are also covered under GDPR. For many companies, securing this type of data can prove to be the most complicated part of GDPR. Don’t forget – any data subject can request data to be corrected/removed and you will have a very limited time to fulfill that requirement, including physical data copies, backups or data stored in staging environments. This is more critical in certain verticals – for example over 80% of security breaches in healthcare were caused by misdelivery, disposal errors or loss (Data Breach Incidents Report 2017).
A solution for this data is to modernize and start using more secure methods to collect or share data. You can use Podio WebForms or XenMobile Secure Forms to collect the data by field agents with a centralized control and data repository – using a system that supports drag-and-drop development and doesn’t require custom coding or any advanced skills. Combine this with Citrix ShareFile to store and provide access to this data – with optional multi-factor authentication, view-only modes, IRM and DLP and encryption of all data. Making data more secure doesn’t mean that you need to sacrifice productivity.
With the limited time available, it is important to act as soon as possible.
What? GDPR is a regulation to protect any data that can identify European individuals.
Who? All European companies OR companies processing data of European citizens.
When? Deadline for implementation May 2018.
- Set up a cross-functional team to analyze your existing data sources
- Segment all your data sources, try to minimize the required effort by grooming the data available
- For remaining data sources, identify the short-term and long-term solutions
- Find solution that can cover most of the gaps in shortest time and provide you with path forward