Controlling access to personal data - the key to GDPR compliance

The General Data Protection Regulation (GDPR) is not a technology issue. When the GDPR comes into effect on 25 May 2018, amongst other challenging requirements, it will demand organisation record, and demonstrate control over who can access any personal identifiable data that iscollected or stored from any individual in the European Union (EU). The establishment of this capability is the true technology issue companies will face when adapting to the new regulation.  

GDPR will change the game when it comes to consumer control over their privacy and data. Four years in the making, the regulation aims to harmonise data privacy legislation across the EU, and protect every person using technology, regardless the degree to which they use it. Many articleshave been written about the big stick fines GDPR threatens, of up to 20 million euros, or four percent of an organisation’s global annual turnover – whichever is the highest – for failure to comply. But there is also a carrot.  With the knowledge that, in our digital world, being able to create trusted customer relationships is a business opportunity, as well as a wealth generator, GDPR legislators have created opportunities for businesses to differentiate themselves.  Companies can get ahead of the game by achieving, creating and marketing GDPR data protection certification marks and seals.   

Right now, organisations are at very different points in their journey towards GDPR. This means there is an increased demand to answer hard data accountability questions, such as:    

  • Why are we holding personal data?  
  • How did we get it?  
  • Why was it gathered originally?  
  • How long has it been held?    
  • How secure is the data in terms of accessibility and encryption?  
  • Do we share this data with third parties?    

Answering these questions, especially the last two, requires a robust and fool proof approach to limiting access to personal data, with reference to a clear audit trail of when the data was accessed and by whom. This is just one of the many steps heading towards compliance with the GDPR’s accountability principle, which requires organisations to demonstrate and document fine-grained compliance with data protection principles whilst doing business – regardless where your users are working and whatever devices they are using at the time. Organisations we talk to are also undertaking Privacy Impact Assessments, an essential protocol under GDPR, to verify the effectiveness of their access management and authentication solutions. 

Adaptive Authentication: A simple, scalable and secure approach to support your journey to GDPR compliance 

When it comes to Privacy Impact Assessments, weak access credentials or authentication processes will be red flags for GDPR compliance officers. Proving, as well as controlling, who is accessing personal information, where they are accessing it, and for what purpose, will be critical. Organisations can limit this risk with easily managed, flexible multi-factor authentication solutions, applicable to any personal data, wherever it may reside.  

How can Adaptive Authentication effectively support your organisation’s strategy to achieve GDPR compliance? 

  • Manage, control and administer all of your users and endpoints in one central place  
  • Allow and establish visibility of precisely who is accessing personal information and from where 
  • Build additional security layers to ensure and prove your protection of personal information  
  • Protect privileged accounts from misuse and breach  
  • Offer a practical and cost-effective way to deliver Privacy by Design principles 
  • Compliant with all relevant industry standards  

Simple for administrators : Adaptive Authentication works across all commonly-used devices, and gives administrators the ability to set and manage granular controls around access variables. These may include elements such as user privileges, geographical location, type of browser, time of day or authentication type. 

Simple for Data Protection Officers: When you talk to your Data Protection Officer (DPO), applying this level of contextual, behavioural risk management will reassure them that you have the necessary control of data access for GDPR compliance.  This will be necessary if your organisation wishes to take advantage of any proposed GDPR protection certificates or seals. And let’s not forget that the introduction of GDPR will include the 72 hour breach-reporting requirement that will come into force next May. Using Adaptive Authentication will enable you to show your DPO how easily and quickly you can run a detailed report of exactly which data was accessed, when and by whom. This will be essential to demonstrate a key element of compliance to regulators, and also to ensure that all your data remains safe and secure.  Once GDPR is just another set of requirements you have tackled and the next compliance challenge emerges, an Adaptive Authentication solution will make it easy to change or add additional levels of authentication to meet the ever-evolving compliance requirements we have come to face.   

Simple for Users: GDPR does not aim to make business more difficult, but  ultimately to protect personal data and therefore ensure optimum safety both on and offline.  Any layers of access control an organisation may implement should always be effective, but also simple for anyone to use.  Once a user gains access – either by using fingerprint authentication or an alternative and stronger two-factor authentication - the smart solution remembers the various elements of that connection in context. This may include aspects such as the device used, the web browser, the IP address, and so on.  As long as these elements remain consistent, the connection will automatically remain trusted. This is one of the ways an Adaptive Authentication solution will combine user-friendly and efficient activity with ultimately reduced risk online.  And again, to make things very easy for your users, Adaptive Authentication means that they don’t have to be connected to the internet or have mobile phone signal to access the data gaging all these crucial identifying factors. 

GDPR is coming, but this doesn’t have to be a bad thing. Adaptive Authentication systems are an easily-implemented and effective way to ensure complete compliance with the new regulation, which can only be a good thing in the long run in both the online and physical worlds.   

To find out more about Ilex International and it’s range of Identity and Access Management solutions, please visit our website.

Steve Mullan, UK Operations Manager, Ilex International 

Image Credit: Wright Studio / Shutterstock