The EU General Data Protection Regulation (GDPR) & IAM
With the anticipated publication of the European General Data Protection Regulation (“Regulation”) in 2016, large and small enterprises are beginning to assess how the new Regulation will affect their data protection and privacy compliance programs. The new Regulation will likely affect companies based in the EU and outside of the EU, so it is important for all companies to understand if the Regulation will apply to them, and if so what new requirements and obligations the Regulation will impose.
WHAT IS HAPPENING?
The Regulation will largely replace the existing country-specific data protection laws in the EU and will apply directly in all Member States in order to achieve a greater harmonization in data privacy law. The final Regulation will come after a long process of negotiation and amendments. Recently, the Commission, the Parliament and the Council began negotiating the various proposed amendments to the Regulation. Companies will then have two years to get their privacy house in order before the Regulation will come into effect, on May 25th 2018. Given the anticipated number of changes as result of the Regulation, companies should begin to work on complying with the Regulation sooner rather than later.
IS MY COMPANY SUBJECT TO THE REGULATION?
The Regulation will not only apply to companies established in the EU, but also to companies that process personal data about EU residents where the processing activities relate to the offering of goods or services to such EU residents. Consequently, all companies in the EU and companies that have some connection to the EU will be subject to the Regulation.
WHAT ARE THE RISKS?
Companies subject to the Regulation will face much higher risks than under the existing regimes. The Commission proposed fines of up to 20 Million Euro or up to 4% of the annual worldwide turnover; whichever is higher. The annual worldwide turnover will be based on the group-wide turnover.
HOW CAN WE PREPARE?
There are eight points proposed to help companies prepare for the forthcoming regulation. Below are some suggestions from an infrastructure and software point of view that can also be beneficial in helping you and your organization prepare.
- Evaluate whether the current technology you use to manage access to data, that will fall under the regulation is sufficient. Any given software should be able to generate lists or reports on who has which level of access to any given information, whether it is stored on SharePoint, file servers or Exchange. Examine who in your company handles personal data, more importantly, where it is stored, who is storing it and who is accessing it and how. What reports or documentation is available to track data and user activity? Are your workflows and processes efficient and compliant? A fundamental step in beginning to become compliant is to restrict access to a need to know basis. By doing this, you can prevent potential problems before they occur by ensuring only qualified and appropriate employees are handling personal data.
- Will you work with external auditors or make someone in the organization responsible for data compliance? If so, you must be able to generate regular and standardized reports to meet compliance needs and be more efficient. It is also important to have a central repository for current and historic access rights management for record keeping purposes. Lastly, you want to ensure that any compliance activity is done as quickly and accurately as possible to avoid further costs and fines.
- Any solution and infrastructure analysis will have to point to potential problems or provide the information needed to identify any gaps or structural problems. Closing these structural problems will ensure that any issues do not reoccur.
- Most experts recommend beginning the process of preparing for the oncoming regulation as soon as possible. This is because most companies will already have compliance standards that they have to meet and will merely have to fill in the gaps with new requirements the regulation will propose. This gives any organization time to evaluate the gaps in their current portfolio and fill them accordingly.
- Measures and procedures must be in place to deal with data breaches. It is important to first try and prevent any data breaches but equally important, a tool is needed to provide information on the activity of users and data flow. For example, prior to the breach, who was accessing a file or who changed permission for users or groups?
- In order to make sure that you are meeting the necessary compliance measures, a solution will not only have to provide information that is easy to understand but also act as a platform for educating non-technical users. In order to determine which users should have access to data or to determine inappropriate or excessive access, non-technical data owners will have to be involved in the process. If everyone involved is properly trained and informed, further compliancy checks will be faster and easier.
- Any auditing and tracking capabilities will have to provide ‘actionable’ intelligence. It does not make sense to record every single activity on any given network as you will be provided with a colossal amount of data that you would then have to shift through. It makes more sense to provide logs and reports that narrow down the identified activity you wish to track.
- Investment will be a necessary aspect in meeting any compliance regulation. As part of the evaluation process, the critical factor in investment will be price to performance ratio. It therefore makes sense to invest in solutions that make your employees more efficient but also ensure that any further compliance checks perform faster than the previous.
WHY SAFEWHERE?
Safewhere solutions offer native integration between the various identity and access management products, allowing in particular the elimination of all user password management, and access control can be reinforced with strong authentication methods adapted to the usage scenario. In this way, security protects and improves company agility. Our solutions offer access management and can be stored within or outside the company, while remaining under the company’s control.
Safewhere offers a single sign-on experience for any type of user, on any device, for any application wherever it runs, using any authentication method such as AD credentials, national and social media ID’s. The single sign-on is not only a nice to have for the users but, more importantly, it is cost effective, adds security, saves resources and helps to comply with regulations such as GDPR and others. Features relevant to the GDPR regulations:
Reporting: Our reporting capabilities will allow you to provide standardized reports to internal and external auditors to prove that your organization is compliant on who accessed what services from where and at what time.
Security Monitoring: All changes are tracked and audited giving you a complete overview of user access across your environment.
Provisioning: Using Safewhere allows you to provision users in a structured manner ensuring problems do not occur and significantly reduces time.
According to the GDPR legislation, data breaches and identity thefts need to be reported within 24 hours when judged as a severe case. The reporting company needs to judge if it is a severe case or not. Preparations are needed as you will have to prove that everything is in place to respond upon data breaches and identity thefts. The ability to run instant reports is crucial on what data has been lost, how and when it was lost, who had access to the data and when. Notifying victims is mandatory unless stolen/lost data is encrypted. Safewhere will offer you reports on what data has been accessed and when, including faulty login attempts. Controlling user provisioning is key in this process.
ABOUT SAFEWHERE
Safewhere is a Danish software provider specializing in Identity and Access Management. The company was founded in 2012, with the aim to deliver a technology-leading platform for federated identity management.
The Safewhere platform is one of the most comprehensive and flexible federated identity management solutions in the market. It handles all the complexity of connecting an organization’s users and applications and managing the users’ access rights.