In my previous blog, I looked at how Identity and Access Management (IAM) can help with GDPR compliance. This time around, I’d like to go a little deeper into how IAM addresses some of the specific data protection requirements within the new European Union (EU) regulations.
GDPR has changed the way that companies with European customers, employees or partners must deal with the personal information they hold. It is essential that any information that can identify a person is protected – from their personal and address details to their bank accounts and health records to their political views and web behaviors. You can get a full rundown on GDPR here.
Preventing data breaches and the misuse of personal data is at the heart of GDPR, which makes it surprising that the regulation doesn’t specify IAM at any point. Yet, data breaches, quite rightly, receive the most public attention. I’d say that Equifax has the dubious honor of recording the world’s most famous data breach. Earlier this year, the company had to admit that 99% of its affected customers had their social security details exposed. In fact, according to the Identity Theft Resource Center, 2017 was a record high for reported data breaches in the US alone – climbing 44.7% over 2016.
The substantially larger fines that the EU is imposing as a result of GDPR now match this growing risk to data protection. Reports suggest that Google and Facebook could already be facing fines of $9.3 billion. An effective IAM strategy and platform becomes essential to meet GDPR compliance, and the capabilities of that platform have to move beyond traditional identity management. In the past, organizations could build an IAM strategy based around prevention. Detection and remediation have become equally – if not more – important as data breaches increase and the scope and variety of cybersecurity threats grow.
So, how can IAM help you comply with the data protection requirements of GDPR? Here are a few key examples:
Personal data processing
GDPR sets out stringent requirements for the processing of personal data that demands ‘protection against unauthorized and unlawful processing’. A centralized and unified IAM platform is really the only way to achieve this through multi-factor authentication and access policies. In this way, you can ensure only authorized users can access certain resources. It may be worth considering roles-based authentication for employees to simplify and strengthen your internal access control. Another areas to consider: the IAM platform will require federated authentication so that authorized access can be quickly granted and revoked for partners and temporary workers.
Security of processing
Article 32 of the GDPR stipulates the security requirements while processing personal data. This includes the need to ensure ongoing confidentiality and integrity of processing while being able to restore access quickly after a breach. You need to be able to demonstrate both that you have the capability to do this and that you are actually doing it. IAM will reduce the risk associated with data loss and unauthorized access. It restricts access to the corporate networks and protects the identity of both the data subject and the system user. In addition, IAM allows for the timely restoration of systems by being able to help quickly identify which personal data have been affected by a breach.
Informed consent
GDPR requires that consent must be ‘freely given, specific, informed and unambiguous’. This has major implications for IAM as most consents for a customer – especially of online services – will be managed through their user profiles. The IAM platform should provide a record of consents given, the ability for the data subject to withdraw any or all consents – either themselves or through request – and an audit facility of all consents granted and revoked.
Data minimization
One of the fundamental aspects of GDPR is the concept of data minimization. You should hold no more data than you need to perform the specific processing task. IAM enables you to have centralized control over all access and authorization information relating to your employees, customers and partners. It can be used to determine not only how long access is granted but how long that information needs to be stored. This enables the timely and defensible deletion of user account information. As ‘ghost accounts’ are a major system vulnerability – providing a backdoor for hackers – IAM will help reduce this cybersecurity risk while complying with data minimization requirements.
Cloud services
As with many areas of GDPR, there is a lack of clarity about how organizations deploy cloud services in order to be compliant. The closest to anything definitive is the code of practice for cloud computing from the EU Article 29 working group and this is not binding. However, GDPR does change how organizations must work with cloud providers as the provider is now responsible for processing. Research shows that the average European enterprise uses 608 cloud apps, which means getting cloud compliance correct is vital. It’s impossible to compliantly manage your cloud services without IAM. For example, integrating on-premise workloads with cloud-based workloads requires the personal information on users – personal details, permissions, group memberships, etc. – be securely and compliantly shared with the chosen cloud platform.
GDPR suggests that new contractual relationships should underpin cloud services but it will require IAM to ensure that these arrangements are being properly enforced.
Identity governance
IAM also provides invaluable information about how employees and customers have accessed applications – who logged in when and what data they accessed. As well as security, this can drive convenience. IAM platforms deliver tools and processes for smooth multifactor authentication as well as self-service capabilities to allow users to manage their own access information. This is all within the IAM strategy and policies established by your organization and the platform will include audit facilities to ensure that internal policies and external regulations – such as GDPR – are always complied with.
If you’d like to know more about how an effective IAM strategy can help you meet the data protection requirements of GDPR, please complete the short form beside this blog.
