Key to GDPR compliance: Controlling access to personal data
By Thierry Bettini, Director of International Strategy, Ilex International
The General Data Protection Regulation (GDPR) is not a technology issue. When the GDPR comes into effect on 25 May 2018 it will demand organisations record and demonstrate control over who can access any personal identifiable data that is collected or stored from any individual in the European Union (EU). The establishment of this capability is the true technology issue companies will face when adapting to the new regulation.
GDPR will change the game when it comes to consumer control over their privacy and data. The regulation aims to harmonise data privacy legislation across the EU, and protect every person using technology, regardless the degree to which they use it. Much has been said about the big stick fines GDPR threatens, of up to 20 million euros, or four percent of an organisation’s global annual turnover, for failure to comply. But there is also a carrot. With the knowledge that, in our digital world, being able to create trusted customer relationships is a business opportunity, as well as a wealth generator, GDPR legislators have created opportunities for businesses to differentiate themselves. Companies can get ahead of the game by achieving, creating and marketing GDPR data protection certification marks and seals. #
Right now, organisations are at very different points in their journey towards GDPR. This means there is an increased demand to answer hard data accountability questions, such as:
- Why are we holding personal data?
- How did we get it?
- Why was it gathered originally?
- How long has it been held?
- How secure is the data in terms of accessibility and encryption?
- Do we share this data with third parties?
Answering these questions, especially the last two, requires a robust and fool proof approach to limiting access to personal data, with reference to a clear audit trail of when the data was accessed and by whom. This is just one of the many steps heading towards compliance with the GDPR’s accountability principle, which requires organisations to demonstrate and document fine-grained compliance with data protection principles whilst doing business.
When it comes to Privacy Impact Assessments, weak access credentials or authentication processes will be red flags for GDPR compliance officers. Proving, as well as controlling, who is accessing personal information, where they are accessing it, and for what purpose, will be critical.Organisations can limit this risk with easily managed, flexible multi-factor authentication solutions, applicable to any personal data, wherever it may reside.
How can Adaptive Authentication effectively support your organisation’s strategy to achieve GDPR compliance?
- Manage, control and administer all of your users and endpoints in one central place
- Allow and establish visibility of precisely who is accessing personal information and from where
- Build additional security layers to ensure and prove your protection of personal information
- Protect privileged accounts from misuse and breach
- Offer a practical and cost-effective way to deliver Privacy by Design principles
- Compliant with all relevant industry standards
Simple for administrators : Adaptive Authentication works across all commonly-used devices, and gives administrators the ability to set and manage granular controls around access variables. These may include elements such as user privileges, geographical location, type of browser, time of day or authentication type.
Simple for Data Protection Officers: When you talk to your Data Protection Officer (DPO), applying this level of contextual, behavioural risk management will reassure them that you have the necessary control of data access for GDPR compliance. Let’s not forget that the introduction of GDPR will include the 72 hour breach-reporting requirement that will come into force next May. Using Adaptive Authentication will enable you to show your DPO how easily and quickly you can run a detailed report of exactly which data was accessed.
Simple for Users: Any layers of access control an organisation may implement should always be effective, but also simple for anyone to use. Once a user gains access, the smart solution remembers the various elements of that connection in context. This may include aspects such as the device used, the web browser, the IP address, etc. This is one of the ways an Adaptive Authentication solution will combine user-friendly and efficient activity with ultimately reduced risk online.
GDPR is coming, but this doesn’t have to be a bad thing. Adaptive Authentication systems are an easily-implemented and effective way to ensure complete compliance with the new regulation, which can only be a good thing in the long run in both the online and physical worlds.
To find out more about Ilex International and it’s range of Identity and Access Management solutions, click here.
Thierry holds a PhD in Economics from the Sorbonne University and has over 25 years of experience in the IT industry. His career started at Air France in London and New York where he led several IT projects and participated in the major restructuring of the company’s Sales and Marketing strategy. He then went on to hold senior executive positions for international software vendors and IT consulting firms.
Thierry’s return to Ilex in 2014 coincided with the company’s decision to consolidate its strong position in Europe and to focus on its international development.