What does the GDPR mean for Identity Governance?

GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.

EU GDPR has a very wide scope, affecting every data controller (the one who “controls” the PII) and data processor (the one who “processes” the PII) dealing with data subjects (the persons) residing in the EU – even when the data processors and data controllers are outside of the EU .

Identity Governance solution can help an organization to GDPR compliant and also better positioning to mitigate the risks of a data breach.

The key elements of identity governance play key roles in identifying personal data and showing proof of GDPR compliance –

  • Data Access Governance - automates the discovery and classification of personal data and provides activity monitoring to improve risk mitigation and understand appropriate use.
  • Compliance controls - allows organizations to define and enforce access policies, to conduct regular access reviews by data owners and to automatically revoke inappropriate access. Provides centralized reporting of all preventive and detective controls.
  • Automated Provisioning -ensures that access to personal data is granted on a need-to-know basis only and provides approval workflow and policy checking for any proposed access changes.
  • Password Management-enforces strong password policies across all systems containing personal data.

The primary objective of the GDPR is the privacy - the protection of personal data.

1. According to GDPR article 5 –Personal Data Protection Principles

Personal data shall be:

  • Processed lawfully, fairly and in a transparent manner.
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Adequate, relevant and limited to those which are necessary in relation to the purposes for which they are processed.
  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay.
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

Identity Governance can help Controls and Protects Personal Data:

  • Removes personal data stored in inappropriate or redundant locations.
  • Removes personal data that has not been accessed in a specified time period.
  • Removes personal data that has expired.
  • Assigns data owners and perform regular access reviews.
  • Keeps access rights to personal data to a minimum.
  • Detects and revokes inappropriate access rights.
  • Detects and revokes stale and unused access rights.

2. According to GDPR article 25 and 32- Securing Personal Data

The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

  • The pseudonymization and encryption of personal data.
  • The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Identity Governance can help Strengthens Controls to Secure Personal Data:

  • Provides centralized visibility into the access control models for all resources storing and processing personal data.
  • Uses role-based access control to ensure access to personal data is granted on a need-to-know basis (“least privilege”).
  • Automatically detects job changes such as transfers or terminations and launches the appropriate workflow to remove or change access privileges.
  • Requires manager or data owner approval for all access changes.
  • Prevents policy violations by evaluating any proposed access changes to defined rules.
  • Logs all access requests and actions by approvers, providing a complete and auditable record of who requested access to which systems and who approved or denied the request.
  • Provides extensive reporting capabilities to enable self-assessment and provide proof of GDPR compliance.

3. According to GDPR article 33 and 34- Monitoring and Detection

In the event of a data breach, the controller must report the breach to the Data Processing Authorities (DPA). However, the controller may be exempt from this requirement if:

  • The risk of harm is remote because the affected data are protected (e.g., through strong encryption).
  • The controller has taken measures to protect against the harm (e.g. suspending affected accounts).
  • The notification requires disproportionate effort (in which case the controller must issue a public notice of the breach).

Identity Governance can help Controls for Monitoring and Detection:

  • Monitors who are accessing personal data, when, from where, and what types of operations they are performing.
  • Notifies and alerts data owners and managers to any detected violations or anomalies.
  • Automates remediations when violations are detected.
  • Enables data owners to perform real-time risk status checks over data they manage.
  • Provides fine-grained audit trails required to conduct forensics in the case of a data breach.
  •  Logs all changes to access, providing a complete and auditable record of who requested access to which systems and who approved or denied the request.

4. According to GDPR article 30 and 35- Meeting Compliance Documentation Requirements

The GDPR requires organizations to maintain an Internal Data Processing Register to document all personal data processing activities. These rules require both controllers and processors to create a centralized registry that documents data processing activities and describes the technical and organizational security measures taken to protect personal data.

Internal data processing registers for controllers. Each controller must keep records of the controller’s processing activities, including

  • A systematic description of the processing operations and purposes of the processing.
  • An assessment of the necessity and proportionality of the processing operations.
  • An assessment of the risks to the rights and freedoms of data subjects.
  • Measures envisaged to address the risks.

Identity Governance can help

   1. Streamline Reporting Requirements

  • Identifies personal data stored in hard-to-find locations such as file servers, portals, mailboxes, and cloud folders.
  • Provides complete visibility into the access control models for each resource storing or processing personal data.
  • Assigns application/data owners to each resource processing personal data.

   2. Assesses and Mitigate Risk

  • Automates the periodic review of access to personal data by managers and data owners.
  • Provides detailed reports of each access review cycle including inappropriate access detected, access revocations, and policy violations detected and remediated.
  • Uses role-based access control to ensure access to personal data is granted on a need-to-know basis (“least privilege”).
  • Enforces strong password policies across all systems containing personal data.
  • Automatically scans resources to discover and report access policy violations.
  • Provides extensive reporting capabilities to enable self-assessment and provide proof of GDPR compliance.

Authored By - Ajay Kumar Goswami
TCS Cyber Security Practice

Rate this article: 
Average: 4 (6 votes)
Article category: