The battle for privacy over personal data took an important step forward last week with the EU’s approval of the General Data Protection Regulation. The new law dramatically changes how organizations approach protecting customer data. Not only does it give citizens in the EU better control over when their personal information is collected and how it will be used, but it also includes significant financial penalties if companies fail to protect their collected data. These penalties can sum up to 4% of a corporation’s annual revenue, a “stick” that will definitely get the attention of senior management teams.
While it applies only to EU citizen data, all companies that operate in the EU must comply with these regulations, truly creating a global impact.
This new regulation will require material changes in how and where organizations store customer data, and more importantly how they grant access to that data to employees, contractors and business partners. The law also mandates that organizations report any data breach involving customer data in less than 72 hours requiring existing security models to evolve from focusing on preventing data breaches at the network layer to detecting and remediating events in real-time.
The passage of GDPR has important implications for enterprise identity governance programs. Now is the time to get your identity house in order before the enforcement and penalty phases of the law take force. Organizations can take proactive steps to stay ahead by focusing on a few key identity governance priorities:
- First, develop a complete picture of where customer data required to be protected under GDPR exists within your organization. It may be in structured systems such as applications or databases, or it may reside in files located on file systems, collaboration portals (such as SharePoint) or even in cloud storage systems (such as Box or GoogleDrive).
- Second, understand who should have access to customer data and reconcile with it with who does. This should be an ongoing process, not a one-time event. Make sure to include all applications and file storage platforms where you are actively keeping customer data.
- Finally, design identity governance controls to protect access to GDPR-related data as users join, leave or move to different roles within the organization.
At first, you may feel overwhelmed by the requirements of GDPR, especially considering the financial ramifications of non-compliance. However, leveraging identity governance at the core of your security strategy to protect access to customer data in your organization can go a long way towards mitigating the risk of a data breach and the resulting penalties that may incur.