What you need to know about GDPR and Identity Access Management

Posted by · filed under Audit Requirements, Compliance
Comments Off on What you need to know about GDPR and Identity Access Management
GDPR – General Data Protection Regulation

GDPR and Identity Access Management

Get ready for GDPR!

The General Data Protection Regulation (GDPR) is due to come into force in on 25th May, 2018 – so how will this affect your organization? How do you mitigate vulnerabilities and risks with the support of Identity Access Management?

You may feel overwhelmed by the requirements of this regulation, especially considering the financial ramifications of non-compliance. However, leveraging identity governance at the core of your security strategy can go a long way towards mitigating the risk of a data breach and the resulting penalties that may incur.

  • Find out who is affected by the General Data Protection Regulation and resulting obligations
  • Enforce the compliant use and restrict the access to personal data
  • Demonstrate the implementation of appropriate measures for ensuring compliance with the principles of GDPR

So why is identity Access Management a ‘a must have’ for enforcing GDPR compliance?

GDPR contains various references to the need and the use of Identity & Access Management. But like many other aspects of this regulation these links are not explicit. Probably to the regret of many ‘controllers’ and ‘processors’, who would prefer a regulation that states in round terms ‘what needs to be done’, a fundamental claim of the regulation towards the ‘controllers’ is, to first make them think about the processing of personal data.

Thinking about the purpose of the processing, thinking about the adequate protection, thinking about the processes of processing. But if a regulation is focused on describing the target scenario and the intended attitude of the organizations, you shouldn’t be surprised, that GDPR isn’t specifying the way to get there. This is the reason, why there are no quotes like ‘to protect personal data, the use of Identity & Access Management systems is mandatory’.

Accountability as fundamental standard in GDPR

Corresponding to other legal frameworks, the demand for ‘accountability’ in this context requires the certainty, that the compliant use of (and with this the access to) personal data is permanently enforced. A certainty that can only be achieved by the implementation of an effective Identity Management System.

Security by Design

The explicitly mentioned question of accessibility is an indisputable assignment for the implementation of a powerful Access Governance / Access Management system. GDPR is also mentioning technical and organizational measures which supports the widely accepted understanding, that any implementation of IAM is a mixed project of technical and organizational aspects, “Security by Design” is probably the most distinct request for the need of IAM in the entire regulation.

GDPR and Identity Access Management

In fact the entire GDPR is dealing with the natural conflict between the businesswise needed, legitimate use of personal data and the intention to restrict in volume and access as much as possible. The only available answer to this conflict is given by an Identity & Access Management system.

For more information download our free White Paper here.

Tags: |