GDPR — changing the rules of identity and access management

GDPR — EU’s latest data protection regulation — is being brought into effect in May 2018 and will affect all EU-based companies, big and small. GDPR calls for fundamental changes on how companies collect, process, and store personal data — and an important parameter of that is who has access to this data. Having spoken with GDPR experts at information security company TwelveSec, I’m presenting a guideline into how companies can guard their client and other sensitive data by ensuring that only the right people have access to them.

What is GDPR — and why you should care

Let’s start with the high-level facts; the EU’s General Data Protection Regulation (GDPR) clarifies the data rights of EU citizens and ensures an appropriate level of EU-wide protection for personal data. Its goal is to define personal data rights, as well as the obligations of companies when it comes to collecting, storing, and processing personal data. It will be enforced as of May 25, 2018 and it applies across all the Member States of the EU, but also any organization anywhere in the world that provides services into the EU. GDPR is a law of direct enforcement, which means that it supersedes existing laws in EU Member States.

What qualifies as personal data? I won’t tire you with the full list of definitions, which you can read here, but it essentially boils down to any information that can identify a person, such as name, ID number, location data, online identifier (including email address), and more. Moreover, sensitive personal data is defined as data that reveal a person’s characteristics or preferences, such as ethnicity, political views, sexual orientation — as well as criminal or health records. These definitions don’t just include client data, but also employee data — such as CVs, financial data etc.

What can you do with personal data? GDPR allows companies to collect, process, and store personal data as long as specific guidelines are followed. The purpose of collecting, processing, and/or storing personal data needs to be clearly stated, and you also need the specific consent of the clients/users/employees or other persons whose data you are handling. The data collected need to be as minimal as possible, which means they need to correspond directly to the reason your company handles personal data. Finally, you need to protect this data by setting up a ‘privacy compliance framework’ — that is setting up the processes, policies, and controls by which you will ensure the integrity and confidentiality of this data.

What measures do you need to take? A good first step is to actually identify to what extent your company handles personal data. You can achieve this by reviewing all of your current activities and understanding what personal data is collected, how, and if they fit 100% with your stated purpose for handling them — if this task seems too daunting, you can outsource it and ask an information security company for an audit or gap analysis. International standards and privacy marks — such as ISO/IEC 27001 — are identified by GDPR as effective tools for demonstrating compliance with the new regulations, so it might be a good idea to undertake the process and receive the certification. A more advanced step would be to perform a PIA (Privacy Impact Assessment) on a regular basis, in order to identify potential issues.

The activities you need to undertake fall under three main categories: processes, technology, and people. First you need to set up the processes by which you will ensure compliance with GDPR — this means management systems, governance frameworks, or following best practices. Then, you need to ensure you have the necessary tools to support the processes you have outlined. Finally, you need to ensure your employees are familiar with both the processes and technology, by training them and raising awareness internally.

We’ll talk more about tools in the next part of the article — and especially about how you can limit access to personal data, and keep it on a ‘need to know’ basis.

Does this sound frightening? It might seem like an enormous task when you first learn about the GDPR requirements, but it should soon become second nature — remember, if your company is based in the EU or does business with EU companies, you can’t avoid this. GDPR will apply to companies of all shapes and sizes — with the caveat that companies of under 250 employees are not required to keep records.

Identity and access management in GDPR — ensuring that only the right people have access to personal data

The three pillars of information security in terms of data privacy are integrity, availability, and confidentiality. Integrity relates to ensuring the data is not edited or modified in an unauthorised way once stored, while availability relates to accidental loss, but it also includes the requirement for the information to be available whenever it is needed and in the required form.

Confidentiality is concerned with setting limits on who may have access to specific information, based on their need to know. You can use specialised software to achieve this, allowing access to private data only to authorised personnel, based on their role (for the sake of transparency, I’m involved in Yeep — an Authorization-as-a-Service platform that specialises in access management). Personal data might also be collected, processed or stored by third party tools that your company is using — whether in the cloud or otherwise. For example, you will need to monitor and control which of the company employees have access to the CRM, which by default contains personal data. At the same time, you must ensure the privacy of personal data internally — e.g. employee health records, such as information about a pregnancy, should only be available to those people who have a legitimate need to access them.

What it all boils down to is this; you need to ensure that personal data can only be accessed by the right people within your company, and for the explicit purpose for which you have collected or stored them.

This brings us to identity and access management. It’s not enough to keep track of which department or employees have access to personal data, once you’ve identified them. You need to know exactly where they are stored (online or physically), which employees have access to them, and what kind of access they have (i.e. read-only, read-write, read-write-delete and update, if different than write). It might be difficult to collect this information and keep it up-to-date, but there are online tools that can help.

This is a good point to raise the issue of role-based access — meaning that access to personal data shouldn’t be provided to an employee individually, but as a result of their role. So, another important task is to identify roles within the company and assign access rights based on those roles. Roles can be broad in scope (e.g. developers or salespeople), but some of them will need to be more narrowly defined. For example, a consulting company might need to store and process client data in order to implement projects — the consultants would only have access to the projects they are actively involved in, but their manager may have access to all the client data, for QA purposes.

How you’ll stop worrying and learn to love GDPR

This might all be a lot to take in — but it’s a necessary step that all companies within the EU (as well as those doing business with EU companies) will have to take sooner or later. It will require an initial effort to map everything and comply with all the terms of the GDPR regulation, as well as ensuring that you maintain the processes necessary for compliance.

The positive side is that this might well be a benefit for any company. You will have better control of who has access to what information, you will have a clear understanding of just how many licenses of third-party software you need. At the same time, you’ll be able to identify and minimise ‘ghost accounts’ — user and service accounts which are enabled but no longer active (e.g. ex-employees who still have access to your resources) — which are more widespread than you’d think.

At the end of the day, there are many consultants and lawyers who specialise in GDPR, as well as information security companies, who can help set the foundations for your compliance.

Special thanks to the GDPR experts at TwelveSec for providing me with valuable info and clearing up some cloudy issues. This article was first published on ITProPortal.