GDPR goes into effect in a little less than a year. ShareFile can help you get ready!
What is GDPR?
The General Data Protection Regulation (GDPR) was approved and adopted by the EU Parliament in April 2016, and replaces the Data Protection Directive 95/46/EC (Directive). The aim of the GDPR is to reach the same level of high data protection within the EU and to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the Directive was established.
It will enter in force and be directly applicable to all EU member states on 25 May 2018, at which time those organizations in non-compliance will face potential heavy fines (including the UK, which, at that time will still be part of the EU).
What is the scope of GDPR?
GDPR applies if the data controller (organisation that collects data) or processor (organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. This applies to all organizations, regardless of whether they are based in the EU or not.
It also applies to organizations based outside the European Union if they collect or process personal data of EU residents. According to the European Commission “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
Why does this matter?
Under GDPR, companies that are found in breach can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). There is a tiered approach to fines, meaning a company can be fined up to €10 Million or 2% (whichever is greater) for not having their records in order (Article 28), not notifying the supervising authority and data subject about a breach, or not conducting a privacy impact assessment. It is important to note that these rules apply to both controllers and processors — meaning “cloud services” will not be exempt from GDPR enforcement.
What do organisations need to do?
The Citrix situational approach to security and compliance centers on four key tenets:
- Whenever possible, centralize apps and data in the data center or cloud so sensitive enterprise data is not stored on devices.
- When sensitive data must be distributed, mobilized or utilized offline, ensure it is protected in a secured enclave.
- Precisely control access to resources with context-aware policies based on user, device, location, application and data sensitivity.
- Provide visibility and management capabilities that unite your entire IT infrastructure to deliver application and data-specific security.
The result is a simplified approach that assists with compliance and strengthens security without impeding productivity.
Complying with GDPR using ShareFile
At ShareFile, we are here to help guide you as your organisation shifts to meet the needs of the GDPR. The table below illustrates how ShareFile can help organizations to achieve compliance with various clauses of GDPR.
| GDPR Regulations | How ShareFile Helps |
| Article 25: Data Protection by design and by default | • Personal Data can be identified through ShareFile Data Loss Prevention (DLP) integration, leveraging the customer’s existing DLP solution. Personal data access can be restricted with sharing policies.
• Access to Personal Data are further protected by authentication including 2 Step Verification and SAML integration, password policies, mobile security, and network security capabilities |
| Article 30: Records of processing activities | • ShareFile supports a subset of the requirements through our DLP integration where DLP scanned files with Personal Data are being audited and tracked. This includes upload, download and access activities related to Personal Data. |
| Article 32: Security of processing | • All data within ShareFile including Personal Data are encrypted at rest. ShareFile also supports customer managed encryption keys through Key Management Services.
• Data can also be protected through Information Rights Management (IRM) to enable encryption of data further. |
| Technical and organisational Measures, Access Restrictions | • ShareFile supports any data sovereignty requirements through availability of the ShareFile EU control plane.
• To support transfer of personal data to a third country or international organisation, Information Rights Management (IRM) can be used to provide the safeguards. |
FAQ (for more information, please visit: http://www.eugdpr.org/ )
When does GDPR start? The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a directive it does not require any enabling legislation to be passed by government; meaning it will be in force May 2018.
What does Brexit mean for GDPR? The UK will not have completed their withdrawal from the EU when the GDPR goes into effect, therefore the regulation will still apply to the UK.
The UK Government has indicated it will implement an equivalent or alternative legal mechanism.
- What is a Controller vs a Processor?
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. - What is a Data Protection Officers (DPO)?
DPOs must be appointed in the case of: (a) it is required by national law, (b) the organization is a public authority, (c) organizations that engage in large scale systematic monitoring, or (d) organizations that engage in large scale processing of sensitive personal data ( 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
Other Ways ShareFile addresses Privacy in the EU
EU-US Privacy Shield Certification. Citrix participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. Citrix has committed to subjecting all personal data received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable principles.
Model Clauses. Citrix ShareFile supports the Data Processing Addendum (DPA) incorporating EU approved Model Clauses (also known as standard contractual clauses). These clauses were authored by the European Commission.
TRUSTe. The privacy practices of Citrix ShareFile have been assessed by TRUSTe for compliance with Enterprise Privacy Certification
How is Citrix addressing GDPR internally?
At Citrix, our mission is to safeguard our customers’ apps and data. As a trusted partner to the largest enterprises around the globe, Citrix takes the handling and protection of sensitive business information most seriously. Like most global companies, Citrix is doing the work necessary to fulfill the requirements of the GDPR, Citrix has a long record of data privacy and security compliance, and we will aim to be ready for the GDPR. Currently, Citrix participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. See https://www.citrix.com/about/legal/privacy/. For questions about our Privacy program and/or GDPR compliance, please contact privacy@citrix.com. . To learn more about our solutions and how we help our customers stay secure and compliant, visit citrix.com/secure
Legal Disclaimer: This document provides a general overview of the EU General Data Protection Regulation (GDPR) and is not intended as and shall not be construed as legal advice. Citrix does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that Customers or Channel Partners are in compliance with any law or regulation. Customers and Channel Partners are responsible for ensuring their own compliance with relevant laws and regulations, including GDPR. Customers and Channel Partners are responsible for interpreting themselves and/or obtaining advice of competent legal counsel with regard to any relevant laws and regulations applicable to them that may affect their operations and any actions they may need to take to comply with such laws and regulations.
