The Role of Identity in GDPR Compliance

One of the requirements of the European Union’s Global Data Protection Regulation (GDPR) is the implementation of appropriate data security measures to protect an EU resident’s personal data, which is any data that directly references a person, or data that can be used to indirectly identify a person.

Identity and access management can help protect personal data by ensuring:

Authorization—Only users who need to access the data can actually access it.

Authentication—Users who access information are who they say they are at the time of access.

Certification—There is a continuous process of access reviews and certifying proper authorization controls, given the constant flux of users who need access to information.

Auditability—The organization has the ability to effectively govern authorization, certification and authentication.

While minimizing identity risk can help achieve the goal of protecting personal data, it’s also important to deliver access that’s both convenient and secure in the process. User convenience and productivity are vital because you don’t want to frustrate your employees or consumers, or impede productivity on the way to compliance. Here are some identity and access management capabilities that balance security and convenience:

Risk-based multi-factor authentication—The appropriate level of authentication is based on the impact of rogue access to the application and data, and the current risk associated with the access request. Users need to step up only if the risk is high.

Flexible and modern authentication options—Organizations can create policies to accommodate classic security needs, address various user types and provide a variety of modern, mobile-enabled authentication options.

Another important consideration is getting the line of business involved in access decisions. After all, they really know who should have access to what information to get the job done. Key capabilities to enable business-driven access decisions include:

• Empowering the business with proper authorization driven by business needs;
• Providing a single view of the user across identity stores (on-premises and in the cloud) to enable holistic decisions;
• Providing risk-based access certifications to prioritize action on access violations based on what has the largest impact on the business, so the line of business can take action on what matters most;
• Making information for certifying access reviews easy for business users to understand and act on, to reduce the risk of errors and avoid rubber-stamping;
• Providing reporting capabilities to meet compliance requirements.

Finally, information sharing between technologies for compliance across the organization can drive value beyond achieving compliance. When the GRC team is evaluating the overall risk posture and sensitive data assets, for example, they can take into account information from identity and access management tools as they make decisions about raising the risk level and taking action. Similarly, the identity team can benefit from information provided by GRC tools about application criticality and data classification, which can be used within the context of certification reviews and access policy decisions.

Download this infographic and learn more about an integrated approach to tackle the requirements of GDPR.