How to Prepare for the New EU Data Protection Regulation?
A new and stricter EU data protection framework – the General Data Protection Regulation (GDPR) – comes into force in less than two years.
But how will the GDPR affect your business and what can you do to prepare for it? In this article, we provide an overview of some of the highlights in the GDPR and explain how Identity and Access Management (IAM) can help you close security gaps and ensure compliance.
This means that if your organization needs to store personal data about customers, users, or other stakeholders, you must determine an approach for complying with the GDPR. How you protect this data is directly related to your organization’s reputation, legal responsibility, and financials.
In the worst cases, a data breach will mean high penalties: 4% of the global annual turnover for the preceding financial year or up to 20 million euro.
There are some key areas that you need to start focusing on now to ensure that you comply with the new requirements:
- The GDPR tightens the rules for obtaining valid consent to use personal data.
You must be able to prove clear and affirmative consent to any personal data that you process.
- The GDPR requires public organizations and certain private companies to appoint a data protection officer.
You must make sure that someone in your organization, or an external data protection advisor, takes proper responsibility for your data protection compliance and has the knowledge, support, and authority to do so.
- The GDPR introduces “the right to be forgotten.”
You must not hold data for any longer than absolutely necessary, and are not allowed to use it for other purposes than for which it was originally collected. At the same time, you must delete any data at the request of the data subject.
- The GDPR requires privacy by design and privacy by default.
You must ensure that privacy is embedded into any new process or software product that you deploy and establish a culture of monitoring, reviewing, and assessing your data processing procedures.
- The GDPR enhances data breach notifications requirements.
You must establish clear policies and procedures to ensure that you can react quickly to any data breach and notify national authorities.
- The GDPR places accountability obligations on data controllers to demonstrate compliance.
You must ensure that you have clear policies in place to prove that you meet the required standards. You should be able to document what data you hold, where it came from, and who you share it with.
What Can I Do to Prepare?
Basically, you need to make sure that any personal data that you collect is only used for the purposes that you have outlined in your privacy statement and is only accessible to individuals who are granted explicit privileges to it.
To ensure this, you have two main types of access conditions to consider; internal access and external access:
- The internal access requirement means that the collected data can’t be available to all your employees. Only those who have a valid reason should have access to it. This typically means that certain people within your organization are authorized to view and work with the data.
- The external access requirement means that you should be able to grant your users access to their own data, but that this data should be well protected from others. For example, having a social logon to a data set containing credit rating information, Social Security numbers, and so forth is – obviously – a bad idea.
Ensuring control of all your users and their access to applications and monitoring access and data usage is exactly the essence of what Identity and Access Management is all about. An Identity and Access Management solution basically contains these four elements:
- Identifying users
- Controlling user access
- Determining user privileges
- Delegating administrative authorities
We might be biased, but in our opinion, there is no question that if you want to be prepared for complying with the GDPR (and for many other reasons), you should start looking into Identity and Access Management.
Need any advice on how to get started with IAM or simply want to know more about the subject? Don’t hesitate to contact Safewhere at:
+45 7199 9007 or firstname.lastname@example.org