Warning – 6 minutes and a cup of coffee will be required for this not so glamorous but still very important post. Contains legal jargon.
What is GDPR?
The General Data Protection Regulation (GDPR) was approved by the EU Parliament in April 2016. It replaces the Data Protection Directive 95/46/EC (Directive). The aim of the GDPR is to reach the same level of high data protection within the EU and to protect all EU residents from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 Directive was established.
It will enter in force and be directly applicable to all EU member states on 25 May 2018- at which time those organizations in non-compliance will face potential heavy fines (including the UK which will still be part of the EU).
What is the scope of GDPR?
GDPR applies if the data controller (organization that collects data) or processor (organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU.
It also applies to organizations based outside the EU if they collect or process personal data of EU residents. According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
Why does this matter?
Under GDPR, companies that are found in breach can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). There is a tiered approach to fines e.g. a company can be fined up to €10 Million or 2% (whichever is greater) for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting privacy impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.
What do organizations need to do?
Citrix recommends to focus on making the data more structured, centralized and managed. Data fragmentation is the core issue that companies needs to face. You will find further information on the Citrix blog here.
“One solution for this data is to modernize and start using more secure methods to collect or share data. You can use Podio WebForms or XenMobile Secure Forms to collect the data by field agents with a centralized control and data repository.”
Complying with GDPR using Podio
At Podio, we are here to help guide you as your organization shifts to meet the needs of the GDPR. The table below illustrates examples of how Podio can help organizations to achieve compliance with various clauses of GDPR. Customers of Podio are still required to be compliant with other GDPR articles through internal processes and steps towards becoming GDPR compliant.
|GDPR Articles||How Podio Helps|
|Article 25: Data Protection by design and by default||• Personal data access can be restricted with sharing policies, using item share or workspace access.
• Centralize, structure and organize data in Podio apps
• Access to Personal Data is further protected by authentication and network security capabilities. ShareFile login accounts supports 2 Step Verification, SAML integration and strict password policies.
|Article 32: Security of processing||• Data within Podio including Personal Data are encrypted at rest.|
|Technical and organizational Measures, Access Restrictions||• Podio supports data sovereignty requirements through availability of the Podio EU control plane.|
Other ways Podio addresses privacy in the EU
- U-US Privacy Shield Certification
Citrix participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. Citrix has committed to subjecting all personal data received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable principles.
- Model Clauses
Podio supports the Data Processing Addendum (DPA) incorporating EU approved Model Clauses, also known as standard contractual clauses. These clauses were authored by the European Commission.
The privacy practices of Podio have been assessed by TrustArc for compliance with Enterprise Privacy Certification.
FAQ (most of these FAQs can also be found on the Site: http://www.eugdpr.org/)
- When does GDPR start?
The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a directive it does not require any enabling legislation to be passed by government; meaning it will be in force May 2018.
- What does Brexit mean for GDPR?
The UK will not have completed their withdrawal from the EU when the GDPR goes into effect, therefore the regulation will still apply to the UK.
The UK Government has indicated it will implement an equivalent or alternative legal mechanisms.
- Doesn’t Privacy Shield cover me?
Privacy Shield does not equal GDPR. While your company may have obtained a Privacy Shield certification, that alone will not bring your company into compliance with the GDPR. Privacy Shield only covers one small part of the GDPR; cross border data transfers.
- What is a Controller vs a Processor?
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity, which processes personal data on behalf of the controller.
- What is a Data Protection Officers (DPO)?
DPOs must be appointed in the case of: (a) it is required by national law, (b) the organization is a public authority, (c) organizations that engage in large scale systematic monitoring, or (d) organizations that engage in large scale processing of sensitive personal data (Article 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
How is Citrix addressing GDPR internally?
At Citrix, our mission is to safeguard our customers’ apps and data. As a trusted partner to the largest enterprises around the globe, Citrix takes the handling and protection of sensitive business information most seriously. Like most global companies, Citrix is doing the work necessary to fulfill the requirements of the GDPR, Citrix has a long record of data privacy and security compliance, and we will aim to be ready for the GDPR. Currently, Citrix participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. See https://www.citrix.com/about/legal/privacy/. For questions about our Privacy program and/or GDPR compliance, please contact firstname.lastname@example.org. To learn more about our solutions and how we help our customers stay secure and compliant, visit citrix.com/secure.
Legal Disclaimer: This document provides a general overview of the EU General Data Protection Regulation (GDPR) and is not intended as and shall not be construed as legal advice. Citrix does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that Customers or Channel Partners are in compliance with any law or regulation. Customers and Channel Partners are responsible for ensuring their own compliance with relevant laws and regulations, including GDPR. Customers and Channel Partners are responsible for interpreting themselves and/or obtaining advice of competent legal counsel with regard to any relevant laws and regulations applicable to them that may affect their operations and any actions they may need to take to comply with such laws and regulations.