It’s happened. GDPR has arrived. The end is nigh.
Actually, it’s not quite that dire, but that what it feels like. We all saw the European Union’s newest data protection regulation coming like a train around a bend, but now that it is actually here few seem to truly know what to do. The time to prepare is over, so now the threat of heavy fines and legal fees from a regulatory compliance failure looms over us all—ready to strike at any moment. And with only a small percentage of enterprises adequately prepared, such a strike may come sooner rather than later.
In that spirit, and given that identity is the most important aspect of cybersecurity, we thought it would be beneficial to examine how identity and access management vendors are reacting to GDPR as well.
In the context of GDPR, identity and access management serves as mechanisms for ensuring consumer data privacy and for ensuring digital consent. Although enterprises are ultimately responsible for their clients and customers’ data storage and utilization under GDPR mandates, identity and access management helps ensure that the access to that data is as is agreed upon by the consumer and in the proper context.
In particular, identity governance and administration solutions can help record user consent and process personal data, and handle denials of data processing authorized under GDPR. Thus, there is a lot of responsibility on identity and access management vendors to perform their functions reliably.
We selected some of the voices in identity and access management, selected at random to preserve vendor neutrality, to hear what advice they had on GDPR:
Simeio reminds readers that there is no such thing as “final” GDPR preparation. In their (accurate) opinion, GDPR is a marathon, not a sprint; your enterprise will need to constantly re-examine your privacy and data protection standards to ensure full compliance.
Furthermore, if you haven’t already, you will need to find a data protection officer (DPO) who manages GDPR compliance and ensures accountability in your IT environment.
After that, Simeio notes that your enterprise should already be monitoring where your data is, where it is moving to and from, and thus ensure nothing is violating compliance. Consumers are becoming more aware of their privacy rights; the backlash from a GDPR compliance violation may not just be legal…
Part of the challenge enterprises will face in maintaining GDPR, according to Ping Identity, is maintaining adequate consent—as Facebook and Google learned the hard way already.
But Ping notes there is also the requirement for governance in GDPR: data access processes must be enforced on an app-by app basis. It has to take each individual users’ privacy permissions and corporate requirements into account when utilizing data. This will require granular control over applications so that only the necessary parts of identity attributes are used. Make sure your GDPR protocols can do this.
OneLogin wants to note that the privacy requirements under GDPR require enterprises provide clear contract language covering data breach notification language, the use of subcontractors, and the responsibility of data processors, among other points.
Indeed, contract clarity is one of the key areas of enterprise activity GDPR seeks to regulate. Privacy details and data usage can no longer be buried in old-school labyrinthine user contracts. They need to be understandable and obvious to users, and they need to allow some degree of choice in how their data is used. Check to make sure you are doing so and are following through on these agreements.
Crossmatch points out that not only do you need to have clear and immediate (within 72 hours from discovery) language in the event of a data breach on your enterprise; there are more strict cybersecurity requirements in place as well—weak credentials could result in heavy GDPR fines. You’ll need much stronger authentication techniques on your databases and assets, which identity and access management solutions can provide.
Additionally, Crossmatch recommends you conduct a data security audit on your IT environment, designate the employees who will handle data requests, and generally make sure all of your employees are aware of GDPR compliance mandates. This could be the ounce of prevention your enterprise needs.
One of the most important lessons Centrify shares with its readers is not to panic. Yes, the deadline for enforcement has come and gone, but Centrify believes that the biggest fines will be reserved for the most negligent breaches or most deliberate violations. You should still make sure you are on track for GDPR compliance, but the situation is not hopeless if you are behind and are making a good effort.
Centrify also recommends that you check on your supply chain partners, who can drag your enterprise down with them in a GDPR compliance failure.
(Editor’s Note: Neither this article nor the Centrify article referenced above constitutes legal advice. Please speak to your attorneys about achieving GDPR compliance as soon as possible and your legal liability on such).