General Data Privacy Regulation (GDPR), the new European privacy law aimed at safeguarding personal data, takes effect in the spring of 2018 and applies to companies, anywhere in the world, that do business with customers in Europe.
This article is the first in a series that will address the upcoming GDPR deadline — May 25, 2018 — and how Citrix can help secure personal data on mobile endpoints.
The need for global communication makes accounting for personal data on global endpoints a significant consideration for organizations that must comply with GDPR. Citrix XenMobile is a market leading Unified Endpoint Management (UEM) component of the Citrix Secure Digital Workspace. This blog will give an overview of GDPR summarizing pertinent terms and concepts, and outline some of the key challenges that mobility presents to organizations that must comply with GDPR. In subsequent installments, we will do a deep dive into the ways XenMobile can solve each of those challenges and protect personal data on mobile endpoints.
Commonalities that Help Break Down the 99 Articles of GDPR
GDPR is described in chapters and “articles”, or subsections that describe specific requirements, not to be confused with “articles” found in periodicals. There are 99 articles, yet there is commonality among several, including those pertaining to:
- Locate – there are several articles within the General Data Protection Regulation (GDPR) that pertain to where personal data is obtained, where and how it’s used. They focus on activities such as identifying locations where personal data is stored, categorize types of personal data, and catalog of processing activities how and where personal data is obtained and used.
- Manage – another set of articles pertain to governance, input, and processing of personal data. They focus on activities, such as restricting processing of personal data to a defined scope, the discontinuation, and erasure of personal data as requested, and outline requirements for a data protection officer to oversee a governance program.
- Monitor – some articles pertain to monitoring the use and export of personal data. They focus on activities such as tracking, and recording personal data processing, transfer of data in and out of the EU.
- Secure – and another batch of articles pertain to securing personal data throughout its enterprise life. They focus on activities such as data protection and privacy by design and default, confidentiality, integrity, and availability (CIA) of personal data including securing personal data through encryption, and the need to detect, and respond to data breaches.
Citrix has range of solutions that can help address parts of GDPR, helping businesses become GDPR-compliant. We are one part of a wider solution that involves people, processes and technology. The focus of this blog series will pertain to how Citrix can help “secure” personal data on mobile endpoints.
Mobile devices present many challenges to enterprises trying to secure personal data. These endpoints present special risks since they can be used anywhere, anytime and may be owned by the employee. Some include of these risks include:
- App Protection – organizations must secure personal data used by corporate mobile apps despite the fact they may be hosted on a user owned mobile device. Enterprises must do a form of mobile app rationalization and evaluate the potential cost of non-compliance against the cost of migration for those apps required to run the business.
- Which secure productivity apps are required – mail, web, collaboration, etc.
- How do they secure data – encrypted containers, VPN, contextual security, etc.
- Who can use them – enrollment, identification, conditional access, etc.
- What are the pros and cons of each app type – security, host, user experience, etc.
- Content Protection – organizations need to support file sharing and collaboration securely between enterprise mobile apps and be able to erase files that contain personal data, from the device, on demand.
- Where mobile files may be hosted – public, private, or hybrid cloud
- How files are secured at rest and in transit – encrypted storage, per-app VPN, WIP
- Who can use the files – access, identification, and authorization
- What are the benefits of a single vendor – productivity app integration, single sign-on
- Device Protection – organizations will want to help protect the platform OS, mitigate the risk of malware, and enforce device security and pertinent policies to control device functions that make data vulnerable to loss.
- Which device policies – restrictions, passcode, mobile threat detection, etc.
- Where do mobile threats come from – malware, phishing, rogue mobile apps, etc.
- How are threats detected – jailbreak detection, machine learning, etc.
- What actions may be taken based on a threat – app lock, selective wipe, etc.
- Endpoint Management – organizations have to manage multiple platforms including control of critical software patches that include updates to address vulnerabilities that could put personal data on the endpoint at risk.
- Which platforms are used in enterprises – iOS, Android, Windows10, MacOS, Zebra, etc.
- How may platforms be managed – Control OS updates, OS polices, etc.
- Why unify – consolidated workspace management, unified app library, etc.
- What Microsoft resources may be managed – O365 integration, EMS extension, etc.
Any organization that collects and/or stores personal data of European residents irrespective of whether they are headquartered in the European Union (EU) are subject to GDPR regulations.
GDPR will impose massive penalties for non-compliance, up to EUR €20 million or four percent of the global annual revenue, whichever is higher. The average annual revenue of the top 10 global companies is approximately $250 Billion; four percent of that is approximately $10 billion. To put that into perspective, here’s a few examples of what that much money could buy:
- 2.5 billion McDonalds happy meals in the U.S.
- An NFL, NHL, NBA, and a Major League Baseball team
- Exchange it for currently approximately 100,000,000,000,000 Venezuelan Bolivars
In other words, this is a significant regulation that should not be taken lightly and justifies significant investment to avoid a massive penalty.
As organizations around the world prepare for the GDPR, Citrix Secure Digital Workspace solutions can enable a simple approach to achieve compliance without impeding productivity. Citrix XenMobile is the Workspace component that can securely manage apps, content, and devices on your global endpoint. To learn more about security and compliance with Citrix secure digital workspace solutions, please visit https://www.citrix.com/it-security/
Stay tuned for upcoming blogs where we’ll discuss how XenMobile can help overcome each of these mobility challenges and protect personal data.