Early 2018 was a time of concern for companies doing business in the EU. The May 25th deadline for with the General Data Protection Regulation (GDPR) was approaching and most companies were not ready. One reason was the cost; 83% of the companies surveyed expected to spend at least $100,000 on compliance, with 17% anticipating costs of over $1 million.
There were also fears of Draconian fines for non-compliance. Even less apocalyptic forecasters, such as Chris Babel, warned that unprepared companies were “going to have surprises,” as they rushed to comply.
The GDPR was designed to protect the privacy of customers’ Personally Identifying Information (PII) as a fundamental right, with all industry sectors being affected including financial and medical sectors that collect and use the most sensitive personal data compared to other sectors. The GDPR requires that personal data is safeguarded both technically and organizationally and subject to, by default, the strictest protection and authorization standards. Additionally, businesses must report any data breaches that affect PII within 72 hours. These are challenging requirements that require auditability and transparency of data across the entire application portfolio.
Interestingly enough, it was not until the second half of 2019 that we are now seeing significant fines for non-compliance due to unintentional loss (malicious attack). British Airways (£238Million) for inappropriate use, and Facebook ($5Billion USD) for the Cambridge Analytica breach. Google is also currently under investigation by the Irish Data Protection Authority for unauthorized data collection. The EU Commissioner for Justice, Consumers and Gender Equality Věra Jourová is making it clear that fines were far from her top priority. Companies did take notice of the new regulations, with Facebook “launch[ing] a range of tools to ‘put people in more control over their privacy.’” Companies are issuing online statements about the use and protection of PII and taking other measures to get consumer “buy-in” for privacy measures. But, these measures are insufficient to protect the data as they are more often than not enforced through manual/procedural controls and not to the level of technical enforcement that can be provided using policy-based access control solutions.
One issue that did emerge this year was the need to service Data Subject Access Requests. Although consumers could make such requests before the GDPR, the new regulations specify that companies receiving them must do so free of charge. In addition to meeting these requirements, companies must improve their IAM solutions in order to be compliant. Answering a DSAR correctly and efficiently depends on having the right intelligence about where a person's data is stored and who is accessing it for what reason. This metadata requires an IAM solution that is designed to both provide granular authorization in order to comply with GDPR in general and that can provide the accounting metadata needed to understand which identities are accessing what resources at a granular level
Certainly, the data protection compliance and attestation process is far from over. Many companies are still not compliant and therefore the window in which remaining not-compliant is closing, as jurisdictional Data Protection Authorities are showing greater understanding of GDPR and how to enforce it. Security expert Mark Schreiber estimates that “50 percent of covered companies are still in the process of GDPR compliance and it will likely go on for another couple of years.”
Companies are still making the organizational changes they will need to make, including appointing a data protection officer, responsible for a company’s effort to protect PII, even if they are not headquartered in the EU. However, they have been slow to research the technical solutions available to embed data privacy controls.thus, even companies who are actively working to comply with the GDPR are struggling to understand how access and authorization solutions can close the GDPR compliance gaps.
Other countries are following the EU’s lead as well with similar laws being enacted in the US. California’s Consumer Privacy Act (CCPA) has influenced other states to consider and, in many cases, enact similar legislation. The fact that different states have different rules makes the IAM challenges involved for companies doing business in America more complex. Japan has also passed its own legislation that is similar enough to the GDPR that the EU and Japan agreed to a Data Transfer Partnership Agreement, that will likely affect other nation’s privacy rules.
Although not producing the gloom and doom scenarios some predicted, GDPR is definitely here to stay and it is likely to lead to more legislation and regulations affecting access control and authorization. These regulations already require a Data Privacy Officer who must work with the Security and Chief Data Office teams to create clear authorization and other IAM privacy-related data policies that can accommodate GDPR.
This environment requires a robust, flexible Policy-Based Access Control (PBAC) solution. PBAC is an Authorization solution in which roles and attributes are combined with logic to create flexible, dynamic control policies. PBAC is designed to support all manners of access devices and is generally considered the most flexible Authorization solution. PBAC is ideal for creating policy statements in natural language and implementing them immediately. This aspect of PBAC makes it a reliable, efficient tool in terms of compliance since it supports applying different authorization rules for the same user based on location or time of day or other factors to specific data resources, an agile and dynamic capability that Role-Based Access Control does not have. This flexibility also makes PBAC future-proof; any data policy that can be explained in words can be implemented easily and efficiently. Additionally, PBAC fully supports recertification, as well as other governance requirements.
Additionally, PBAC fully supports re-certification, as well as other governance requirements. For example, let’s say you’ve created a delegated authorization system granting employees of a third-party access to part of your network. If one of those workers completes their assignment for your company but still tries to log in, PBAC’s runtime authorization will ensure that access is denied. Moreover, because PBAC supports policies written in natural language, it enables companies to create the type of transparent policies required by GDPR, such as “Clerks may only see the last 4 digits of a customer’s ID number.”
To learn more about how PBAC makes it easy to comply with GDPR and other regulations, schedule a demo.