Citrix's Peter Lefkowitz on impact of GDPR privacy requirements

The European Union's General Data Protection Regulation is changing the way almost everyone, from the consumer to the enterprise, addresses the need for consumer privacy.

The new regulation has an unprecedented scope, protecting approximately half a billion residents of the European Union (EU), and every company in the world doing business in the EU must comply with the new regulation.

However, GDPR is more than a new consumer privacy law -- it defines a new approach to protecting data privacy for all organizations that collect personal data, according to Peter Lefkowitz, chief privacy and digital risk officer at Citrix, who argues that the GDPR privacy requirements are changing the global landscape.

In this Q&A, Lefkowitz, who is also the chairman of the International Association of Privacy Professionals, explains how the global privacy landscape is changing and how information security practitioners must change to adapt.

What is different about complying with GDPR privacy requirements and the privacy protection regulations that were in effect prior to GDPR?

Peter Lefkowitz: What separates the GDPR from what came before is that the GDPR has introduced the concept of accountability. This notion that you need to apply the fair information practices around collection, notification, consent, appropriate use, reuse, legitimate interests, security, privacy impact assessments, data deletion and return. The whole wraparound of data now needs to be investigated, figured out, implemented, documented -- it's really the first time under privacy law that there's that entire wraparound.

The Data Protection Directive in 1995, which was pre-Facebook, pre-Netflix and pre-YouTube, was designed for a world of paper records and of limited online activity. We're now in a world of internet-connected devices, of constant multidirectional data flows, of hybrid computing environments, of rapidly increasing proliferation of systems and data. And so the GDPR tries, in its way, to deal with that through privacy impact assessments, through data inventories.

What separates the GDPR from what came before is that the GDPR has introduced the concept of accountability.

In turn, what's happened to the privacy profession is, where privacy previously, at least in some sectors, was a very compliance-oriented job with very specific and limited obligations, the role now is more of a data officer or a data risk officer.

So my title at Citrix is not chief privacy officer, it's chief privacy and digital risk officer. Friends of mine who are at other technology and financial services companies are now moving into the realm of being chief data officers. And that's because you don't have a database that's marked Personal Information Database, and then other databases that are marked Not Personal Information Databases and you only track the first.

There is an oversight function that needs to be performed around all of the data that a company manages. Where we come into this, obviously, as an employer and as a marketing and sales entity, it's just like any other company. We have to manage that for ourselves.

Where we come into that as a tech player is all of our products and all of our services are designed around limiting access, appropriate authentication, managing security on the back end, security analytics, system and web analytics. And so we have a role to play with our customers in how they prepare themselves for the GDPR and, more broadly, for this world of accountability.

What are the most important things Citrix has done to prepare for complying with GDPR privacy requirements?

Lefkowitz: We've done three things. We've done compliance activities on the inside; a year of investigating what systems we have, what data we have on systems, where in the world they reside, who our vendors are and [those] sort of core compliance activities.

We've also updated all of our contracts -- our vendor contracts, our customer contracts. We sent out notices to 77,000 active support customers and cloud customers with updated security terms and privacy terms.

But then, the third part, and where Jamie [Buranich, senior public relations manager at Citrix] and I have worked very closely together, is being out in the marketplace and talking to our customers about what a world of accountability looks like and how Citrix can help our customers prepare for that.

And so this is all of a piece; this world of compliance contracts and communications fits into that broader role of digital risk and data risk and managing broader corporate risk that is so critical today.

What have been the top challenges to complying with GDPR privacy requirements?

Lefkowitz: There are challenges along two lines. One is the practical challenge.

Preparing for GDPR and maintaining a program that is appropriate for GDPR on an ongoing basis is a big lift. It requires resources. And so just getting that effort underway is going to be a big lift for any company. The International Association of Privacy Professionals has almost doubled its membership in two years, as an indication of the kinds of resources that need to go into GDPR compliance.

We went from having no conferences in Germany to now we have a major conference that's happening in September. And all of the major conferences -- the Washington conference, the London conference -- have been sold out. And so it gives an indication of the kinds of resources that need to be brought to bear.

Within Citrix, we've employed people from HR, marketing, sales, product and engineering, legal, over the course of a year. And we've built a team that has been meeting on a very regular basis as we've done all these activities.

That's the blocking and tackling that needs to happen and needs to become part of the DNA of a company, and we've been engaged in that for over a year now.

The other part that I find very interesting is there have been a lot of scare tactics around GDPR: 'Oh my gosh, you need to know where every bit of data is, and if you get it wrong, it's four percent of global turnover.'

And so part of the challenge -- and this is where Jamie's been so tremendously helpful -- is in resetting people's expectations about what is really important and what's not so important -- what you really need to focus on and what you don't. Clearly, we need to focus on where the most sensitive data is. Clearly, we need to focus on managing our products and our systems in a way that helps our customers.

But the GDPR does not require that we know where every single element of data is at every moment to the exclusion of doing business. And so it's getting that balance right and getting people focused on operational excellence rather than the sort of scary scenario of risk that has been so critical to us.

Where do you see things going globally with privacy as a result of GDPR? It's directly applicable to people in the EU, but will there be effects for others?

Lefkowitz: The GDPR applies to companies -- anywhere in the world -- that purposely sell into the EU or that have employees and are doing monitoring in the EU. The GDPR has global remit.

In addition to that, Japan has just updated its privacy law. In the last number of years, a very large number of countries across Latin America have implemented new privacy laws. There are new or updated privacy laws across East Asia and Southeast Asia.

We've seen a big uptick in privacy laws and privacy enforcement globally. People give the United States the rap that we don't have privacy laws. In fact, that's not true. We have privacy laws in healthcare, in government, in financial services; we have data breach disclosure laws in 47 states.

The difference is that, to date, we don't have a single comprehensive consumer privacy law. I don't have a crystal ball, I don't know when that is going to change, but we have pretty stringent privacy controls for areas of high risk in the United States. I guess the difference with the United States is that, unlike Europe, unlike Canada, unlike Japan, we don't have a single, overarching comprehensive law.

And so I think, to answer your question, we're going to proceed apace. There is attention to privacy now, there's attention to data protection, the whole data supply chain -- the digital supply chain -- is going to be a bigger part of our lives through connected devices, through cars, through phones, through hybrid systems that we all interact with every day, and so there's going to be continued attention to this area.

Talking about data privacy, it's hard to avoid talking about mass surveillance and lawful access to data. Globally, it seems each country has its own norms on that. How do you think the balance between protecting data privacy and lawful access to data will play out?

Lefkowitz: I think that's going to be an ongoing discussion. Tim Cook and the FBI director continue to have their back and forth.

At the same time, for all of the concern that privacy advocates have -- and there are some legitimate concerns there -- there is a need globally to avoid the bad guys, and so there's been that push and pull. There will continue to be that push and pull around encryption, around government surveillance.

I think one of the important things to note there is that while the debate sometimes plays out along the lines of Europe versus the U.S., the French law, the British law, the German law, the Italian laws around government surveillance are all more permissive than U.S. laws around warrants and subpoenas.

There is a widespread recognition that we need circumstances where governments have access to data for criminal law enforcement and for avoiding mass societal risks. Governments go about that a little bit differently, but this is not a U.S. versus the world thing.

You said we need to avoid the bad guys, but they're everywhere, not just using encryption to commit crimes, which is why the FBI wants encryption backdoors. But bad guys are also targeting data collected by companies doing legitimate business who use encryption. How do we balance these needs?

Lefkowitz: There is always going to be the push and pull of privacy and security. There is the old adage: 'You can have security without privacy, but you can't have privacy without security.' We need to build systems that are secure in order to maintain privacy. And the cutting edge of that knife is going to be, do we get to a point where we tip over -- that we're maintaining security at the risk of privacy?

The best I can answer is that there are continuing struggles there. The Apple-U.S. government conflict is part of that, but there's also progress. The Cloud Act in the United States is the first step in a journey that the U.S. and Europe are undergoing on the balance of allowing access to European-held records. There is still a member-state activity that needs to happen there; none of the member-states have worked out the details of that yet, but that's going to be an ongoing discussion.

I don't hold out hope that the entire issue is going to be resolved next week. Technologies continue to evolve, risks continue to evolve, but I do think that at least on some fronts, we're making progress.

What else should people who are working with these privacy challenges be aware of?

Lefkowitz: I think the single most important thing to think about is basics. It's really going back to basics.

Look at Article 5 of the GDPR -- the focus is on the fair information practices. What data do you have, where do you have it, what do you do with it and how do you secure it?

Think about access and authentication. Think about how long you're holding records and go major area by major area. That's what we did with our project, and that's what I think the major companies are doing across the board. There is no secret sauce to it. A lot of it is about core fundamental security controls.