It seems that there’s a lot of work to do before May 2018, when the new GDPR (General Data Protection Regulation) comes into effect.
The new law requires organizations across the EU as well as those located elsewhere, provided they target EU citizens – including a significant chunk of companies in the US – to meet new standards for the protection of personal data through identity access management. Fines for a breach of the new regulations are substantial, as regulators can charge up to 4% of total annual worldwide turnover or €20,000,000.
Are we ready for the new law? The answer is a resounding no. According to a report released by Blue Coat Systems’ Elastica Cloud Threat Labs, 99% of 15,000 apps that they analyzed do not provide sufficient security, compliance control, and features to protect enterprise data effectively in the cloud. And according to a global survey by Dell, 80% of IT and business professionals say they know very little about GDPR, while 97% say they have no GDPR readiness plan in place.
GDPR readiness cannot be achieved overnight. It involves a careful process. More specifically, according to a 16-page overview of the new law and its ramifications by Ernst & Young, it includes taking very specific steps to ensure security measures comply with the new regulations, which relate to issues related to concerns about accountability, consent, breach notification, and individual rights. In short, organizations are required to implement effective IAM and authorization policies.
So it’s time to get cracking. With the steep financial penalties of GDPR, nobody can afford to let customer data reach the wrong people through mismanagement or due to a breach. There is no way around it: To prevent expensive losses, customer data needs to be secured properly through reliable identity governance.
Here are 5 essential tips to get you started with your own company’s plan for GDPR readiness:
Find out what data you already have, where it is, and what you need to do to ensure compliance. Most of today’s data is unstructured, i.e., it is managed by end users and can be stored anywhere, including on cloud storage services (such as Box.net) and collaboration portals (like SharePoint). Take proactive steps to map out where customer information is currently located within your organization, and which data legally requires protection.
If an organization conducts large-scale, systematic monitoring of data subjects, or if it processes significant quantities of sensitive, personal data, it must appoint a Data Protection Officers (or DPOs). By law, the DPO must be independent from the organization that funds the position. A statement by the International Association of Privacy Professionals (IAPP) issued in November 2016 estimates that as many as 75,000 DPOs will be needed globally by 2018, to handle the EU law – including 9,000 DPOs for companies or organization in the US.
Most large institutions are investing as much as 30 percent or more of their information security budget in IAM. To ensure that this is a well-spent investment, it’s essential to ensure that the new systems include the necessary Authorization recertification capabilities. Recertification is the essential piece, as it facilitates compliance with data regulations not just at the initial stage, but on an ongoing basis.
If you want your IAM program to be deployed successfully, do not ignore any of your stakeholders. Good process and engagement with multiple stakeholders from the get-go ensures that the new IAM program takes into account everyone’s needs and creates greater support for IAM throughout the organization.
In particular, keep in mind that executives have a strong stake in implementing an effective IAM, because of the potentially exorbitant costs of a data breach. HR managers, as well, should be particularly involved in this process because of their need for an IAM system that supports the seamless onboarding and offloading of employees – including the ability to handle identity access management effectively when employees shift to new roles.
In the age of GDPR, every American company that works with Europe needs an effective platform in place for authentication and authorization that provides granular access control.
Prevention-only models are no longer enough. Security models need to evolve to ensuring detection and remediation methods. Each organization needs to establish a means of protecting access to GDPR-related data, through fine-grained, governance-based identity management solutions that cover data both on-premises and in the cloud, such as Policy-Based Access Control (PBAC) – a combination of ABAC and RBAC.
PBAC, which is contextually based and is easier to manage than RBAC or ABAC, allows companies to implement identity access management based on abstract policy that combines attributes from the resource, the environment, and the requester with a review of the specific circumstances.
Enhancing your IAM to fit the demands of GDPR – before May 2018 – is essential. A solution such as PlainID, which supports multiple identity types and sources, is the key piece in developing a system that can keep up with the stringent requirements of the new law.