Q&A: Citrix’s privacy chief Peter Lefkowitz talks GDPR compliance at Synergy 2018

Keumars Afifi-Sabet

10 May, 2018

With GDPR set to come into force later this month, organisations of all sizes are racing to comply with a new set of tougher data protection laws.

Cloud Pro caught up with Citrix’s chief privacy and digital risk officer Peter Lefkowitz at Citrix Synergy 2018, hosted in Anaheim, California, to discuss what the new legislation means for organisations, how it changes the way businesses approach privacy, and how Citrix itself has changed in light of imminent GDPR enforcement.

“We’re just at that moment – we’re 16 days out – so I’m spending a lot of time on it, but it’s not just internal system compliance, it’s looking at our products – what data do they collect, what are our retention rules, how do we promote ourselves to customers?” he said. 

Citrix’s bid to comply with GDPR, according to Lefkowitz, has included updating all global contracts, putting out a new data privacy addendum, standard contractual clauses – pushing those to “77,000 of our active customers in April” – and new terms for all its partner channel and suppliers.

The cloud-centric company has also asked its suppliers to sign up to new privacy terms, and fill out a questionnaire, so Citrix knows “who their security contacts are, where we go in the event of an incident, who to contact, and that sort of thing”.

On how GDPR has changed the way Citrix operates internally, Lefkowitz said: “By virtue of the fact the GDPR is so focused on accountability, on all of these controls, and on transparency, it has raised privacy awareness and security design awareness to a higher level, so we now have some of the members of our executive leadership team who want regular updates on these topics.

“It has raised that discussion up against how we design our products, how we manage our services, what we do on the back-end.”

Lefkowitz’s comments chimes with chief product officer PJ Hough’s assertion that Citrix is not only GDPR-ready itself, but has made efforts to ensure wider compliance among its associates in the industry.

“For all of our existing commercial products we have gone through GDPR review already, and we have actually not just complied ourselves, we’re actively engaged with many of our large European and global customers to help them become GDPR compliant in their entire deployment,” he said at a press Q&A following the opening keynote address.

“So I would say as we bring more of our products online we will be compliant with the regulations in all the markets in which we serve.”

CEO David Henshall added, in the same session, that regulatory compliance is “woven into how we think about the company – how we think about delivering cloud services – it’s just part of the fabric”.

Lefkowitz continued to outline specifically how Citrix is helping its partners and customers through an array of blogs, white papers, schematics, and a range of different materials featured online, outlining its approach to GDPR and data protection more generally.

“We’ve done training internally, for our support organisations, for our sales force, for our legal department, for a lot of people that touch customers and touch suppliers, so people are aware of what the key issues are. The goal is to really be as transparent as possible – and to make it as easy as possible for our customers to use these products,” he said. 

Turning to the legislation, Citrix’s in-house privacy expert explained the benefits of GDPR include that it forces organisations into adopting healthier data protection practices – while he warned against some of the unintended consequences.

“Raising these topics, making those operation controls more of a requirement, has taken a lot of effort from every company,” Lefkowitz said.

“But if you know where your data is, where your systems are, how they’re managed, you regularly check them and update them, I think the companies that take GDPR seriously are overall going to have a better framework for security control for all of their data – particularly for sensitive personal data.”

Organisations, however, should be wary of the impact of the ePrivacy regulation, according to Lefkowitz, a separate regulation that governs electronic privacy and marketing, that sits alongside existing regulation, and is in the process of being rewritten.

“Nobody knows where it’s going to land,” he explained, adding: “We’ve all been doing this big effort around marketing systems and marketing controls around GDPR, and then probably next year we’re going to be hit with an entirely new regulation.

Lefkowitz also warned there are a number of areas under the regulation that have been left open for individual member states to pass their own laws, or enforce in their own way, going against the main purpose of GDPR; that is unifying data protection regulations across the continent, and the wider world.

“A worry is that once the regulation is in effect and countries start seeing new technologies, new instances, new breaches, we may see countries splintering a bit on some very important topics,” he explained.

He outlined a hypothetical scenario of a company heading to a lead regulator in one country, presenting its system and its controls and gaining clearance, only for another regulator in another country to pull the company up on the same issues, as a point of great concern.

In terms of regulation penalties will be enforced, Citrix’s privacy chief said the legislation brings punishment under GDPR to the same standards as that under existing laws, with the whole notion of fines of 2% and 4% annual revenue based on competition and antitrust law.

He explained there will be two prongs to the regulatory approach based on the severity of non-compliance.

Outlining the first, he said: “Some of the regulators have already spoken publicly about this – they’ve hired more staff – so on 28 May, they’re going to go out and really look for basic stuff that hasn’t been done.” This will include situation in which an organisation doesn’t have a privacy policy, or if there’s evidence they’re not giving somebody access rights.

“Tranche two is going to be when the really, really, really, really bad stuff happens – the breach that has a horrendous impact, that easily could have been avoided; the company that is selling lists of sensitive information and not following up on controls – we’ve heard a little something about that recently – those I think the regulators will take very seriously,” explained Lefkowitz. 

“Time will tell whether the fines will be similar to what we’ve seen under competition law. I can’t make a guess at that; just the fact that the regulators will have that in their back pocket I think will make a significant difference in compliance.”