The General Data Protection Regulation (GDPR), passed by the EU in 1996, is “the most important change in data privacy regulation in 20 years” according to the EU’s GDPR website. It was enacted as a badly needed update the 1995 Data Protection Directive that was not only written prior to the revolutionary explosion of big data and internet use, but is only a directive as opposed to a regulation. This difference is key. As a regulation, the GDPS obligates a broad range of actors and contains serious sanction mechanism.
Should they not have done so already, these sanction mechanisms really ought to catch the attention of all senior management of organizations that have anything whatsoever to do with European data, including those outside of Europe to whom the regulation still legally applies. Using a tiered approach, the GDPR mandates fines of 4% of annual global turnover or €20 million (whichever is greater) for the most serious infringements. So not only does the GDPR aim to establish norms of data privacy and protection as a way to unify approaches to data privacy and security, it carries the big stick of sanctions that will come into force on May 25, 2018.
While this blog entry focuses specifically on the GDPR, it is worth approaching the GDPR as part-and-parcel of your enterprise’s general approach to protecting its digital assets, especially as related to things like IAM policies and recertification processes. This is for two reasons:
The first is that the GDPR is the practical expression of a broader idea: privacy by design and by default. This idea proposes that both organizational practices and technical means be integrated at all levels of an enterprise in order to ensure that individuals’ data is collected and used only as individuals specifically permit. In practice, compliance with the norms established under the principle of privacy by design and data protection by default, the norms which GDPR mandates, requires broad buy-in throughout an enterprise.
Compliance cannot be achieved by the legal and information security teams alone. Instead, it requires a comprehensive organizational culture and approach whereby all who engage with data integrate the norms of data protection into their practice. This can be demonstrated by the existence of things like internal data protection policies that could include staff training, and internal audits of processing activities. Other measures that can meet the principles of privacy by design and protection by default include: data minimization, pseudonymization; transparency; and allowing individuals to monitor processing. All of this needs to be supported by robust IAM systems that are able to manage the complexity and challenges linked to the expanded cloud--namely access technology fragmentation and multiple locations of decision points.
The second, and equally important reason, is that, as Kathryn Cave, editor at IDG Connect points out, “GDPR is not the only piece of legislation out there. GDPR will also interact with other specific local laws like the UK Investigatory Powers Act, the EU Information Systems (NIS) Directive and US Privacy Shield law.”
Given that the obligations are legally mandated, it is imperative to ensure the requisite documentation of data protection activities at all levels of enterprise activity for regulatory inspection. Under GDPR, if your enterprise has more than 250 employees, you must maintain additional internal records of your processing activities. Should your enterprise have fewer than 250 employees, you are required to maintain records of activities related to what is called “higher risk processing” that involves: processing personal data that could result in a risk to the rights and freedoms of individual; or the processing of special categories of data or criminal convictions and offences. GDPR also mandates that you have a demonstrable capacity to test the effectiveness of your security measures.
As Paul Trulove, VP Product Management of Sailpoint, writes:
First develop a complete picture of where customer data required to be protected under GDPR exists within your organization. It may be in structured systems such as applications or databases, or it may reside in files located on file systems, collaboration portals (such as SharePoint) or even in cloud storage systems (such as Box or GoogleDrive).
Second, understand who should have access to customer data and reconcile with it with who does. This should be an ongoing process, not a one-time event. Make sure to include all applications and file storage platforms where you are actively keeping customer data.
[Third], design identity governance controls to protect access to GDPR-related data as users join, leave or move to different roles within the organization.
This is very prescient advice which takes into account the extraordinary complexity of coping with multiple decision points and the elimination of the physical network perimeter that is being driven by the cloud and the growth in SaaS. The higher stakes of the failure of data protection systems (fines under GDPR, but also potential damage to enterprise reputation) means that things like authorization recertification needs to be reviewed and brought into compliance.
In preparing for GDPR compliance, I have tried to emphasize the need for a holistic approach that looks at policies, the establishment of norms and good practices at all levels of your enterprise and also ensures that the technological infrastructure serving your enterprise supports compliance.
PlainID can help you achieve GDPR compliance, by providing a business based policy layer on top of finer-grained access controls for all your access decisions. In addition we provide a unified view of access to organizational assets and data, with in-depth analytics and insights, supporting compliance and audit requirements. To find out more: