GDPR, Automating Identity Management, and (Finally) Getting Identity Right
Why GDPR demands good data access governance and automation, and why that’s a good thing
There’s a lot at stake for organizations around the world when it comes to GDPR compliance. The EU General Data Protection Regulation aims to ensure EU citizens’ privacy rights, modernize privacy laws, and unify 28 privacy laws in the EU. And, as history shows, the EU Commission doesn’t shy away from levying significant fines.
Organizations that only think GDPR applies to those in the EU are in for a surprise. Consider how the California Security Breach Information Act (SB-1386), which went into effect in July of 2003, didn’t just affect California-based organizations, but also any organization in the United States that held and lost control of certain data relating to California residents.
Just like Californian’s data breach disclosure law had national impact because it didn’t matter where the data resided – but that a California resident’s data was breached – so too does the GDPR. Since the law applies to EU citizen’s data, any organization that manages data on EU residents must comply. And there isn’t a pass for data stored outside the EU.
The GDPR includes the following new directives:
- EU citizens’ personally identifiable information (PII) must be adequately protected, managed, and controlled.
- Data breaches must be reported within 72 hours.
- Non-compliant organizations are at risk of significant fines, from 4 percent of annual revenue to €20 million.
While the ideal is obvious — the best way to avoid getting caught up in any GDPR drama is to avoid getting breached — it’s just not a realistic and complete plan. The reality is that any organization will be breached at some point. The difference will be the degree of the breach and the response to the breach. The important thing for all organizations is to minimize the ability of the attacker and to swiftly detect and respond to any data breach.
This is why identity management is so important when it comes to GDPR and good security more broadly. Effective identity management helps to protect systems, helps to inform when systems might be under assault, and enables organizations to see who can access what resources and how those resources are being used.
The problem for many organizations is that their identity management capabilities aren’t yet at an effective level. Many still don’t have their identity programs where they need to be, let alone where they’d like them to be. They don’t know where their most valuable information resides, and many of the processes around adding, managing, and removing users are manual. This is certainly not good under any circumstances today, but especially bad when it comes to attaining GDPR compliance.
The first step for any organization is to understand who its users are, what those users should have access to for their jobs, as well as where sensitive and regulated data resides. For GDPR, this means EU citizens’ PII. There’s no way to build an effective identity management program without being able to assign data to its owners and control who can have access to that data. Surprisingly, many organizations don’t have a good handle on where their data resides, especially if that data resides in unstructured files like PDFs and files. There may have been excuses for this years ago, but today regulations and good security demands it, and there is little excuse when there are tools that will help to automatically identify and classify data across the environment.
When it comes to managing access to data, the IT team needs to be able to see all user access permissions and understand their data as well as where it resides, so that they can make the right access and data management decisions. This can include changing permissions because a user’s role has changed, or removing old data that is no longer needed, and trimming access permissions that are no longer appropriate for a user and adding those that are.
If there was ever a time when manual processes could keep up with these tasks – and I doubt there has been in decades – we are certainly past those days now. And, today, (thanks to GDPR, but it’s also good for security) the least privilege principle must be applied to data that falls under GDPR, and if policy is seen to have been violated it must be remedied immediately.
That requires that the provisioning and de-provisioning of access happens as a normal course of business, and automation makes certain that capabilities such as self-service access requests and automated access certification can occur as they should. Perhaps most importantly, beyond GDPR compliance, is that all of the enhanced data and user access information will better inform security-monitoring tools, such as security information and event managers, so security teams can make better decisions.
While many organizations are dreading the rapidly approaching May GDPR deadline, those that take the opportunity to build a better identity management program will certainly be better off in the long run. In fact, much of what we are discussing now are capabilities enterprises should have put into place years ago.