The Role of Identity in GDPR Compliance

One of the requirements of the European Union’s Global Data Protection Regulation (GDPR) is the implementation of appropriate data security measures to protect an EU resident’s personal data, which is any data directly referencing a person, or data that can be used to indirectly identify a person. This includes first/last names, email addresses, physical addresses, and other similar types of data. In addition, there are “special categories” of data, or sensitive personal data that need to be protected at a higher level. This includes things like religious affiliation, health records, political opinions, racial or ethnic origin.

Identity and access management can help protect personal data by ensuring:

Authorization—Only users who need to access the data can, in fact, access it.

Authentication—Users who access information are who they say they are at the time of access.

Certification—There is a continuous process of access reviews and certifying proper authorization controls, given the constant flux of users who need access to information. (Consider the handling of new hires, transfers, promotions, terminations, and additions of users resulting from mergers and acquisitions.)

Auditability—The organization has the ability to effectively govern authorization, certification and authentication.

While minimizing identity risk can help achieve the goal of protecting personal data, it’s also important to deliver access that’s both convenient and secure in the process. User convenience and productivity are vital considerations because you don’t want to frustrate your employees or consumers, or impede productivity on the way to compliance. Here are some identity (Read more...)

*** This is a Security Bloggers Network syndicated blog from RSA Blog authored by Ayelet Biger-Levin. Read the original post at: http://www.rsa.com/en-us/blog/2018-04/role-of-identity-in-gdpr-compliance.html