Beginning May 25, 2018, any company wishing to do business in the European Union will be required to comply with the new General Data Protection Regulation (GDPR) standards, which replace the Safe Harbor Act and extend the scope of existing EU data protection laws to all foreign companies processing data from EU residents. The goal of this data protection initiative is to standardize and harmonize the fragmented data privacy across the European Economic Area to ensure that individuals’ rights are protected in today’s digital world.
The primary purpose of GDPR it to ensure that all organizations operating in Europe will be required to obtain consent from individuals to capture and store identity information in physical access control servers and remove that information from servers if it is no longer needed. The regulation also sets higher standards for consent, which must be freely given based on clear, easily available information about what an individual is agreeing to. Organizations must also make it as easy for someone to withdraw consent as it is to provide it.
For security teams, this means physical access control must ensure that consent is recorded for all individuals whose information they are storing and managing across all physical access control systems (PACS) and that any personal information is centrally tracked and controlled for all servers – for all EU citizens covered by the GDPR regulations no matter where in the world that server resides. All information must be auditable and individuals’ personal information must be removed from the relevant PACS servers if they no longer require access or if their authorization and/or privileges are no longer valid. This means that an EU citizen added to a U.S.-based PACS must be tracked and removed once that entry is no longer relevant, or upon the citizen’s request.
The good news is that organizations will now have a single regulation rather than multiple standards in different regions to comply with, which should significantly decrease compliance costs while improving public perception of data privacy and individual rights.
The stiff penalty for any violation of this regulation – up to four percent of annual global revenue of a parent or holding company – makes it essential that organizations ensure they are in full compliance. For a smaller company, this could mean the difference between continuing in business and shutting down entirely. However, this often requires exhaustive and time-consuming manual and administrative efforts that rely on information from a variety of stakeholders, which introduces the potential for errors that can jeopardize compliance.
Without question, compliance with GDPR will be challenging, and the complicated and inefficient manual administrative processes organizations often employ to transform policies into practice do nothing to ease the burden. In fact, they are actually more likely to hinder these efforts, which rely heavily on gathering information from a variety of stakeholders – a far less than ideal combination.
Advanced physical identity and access management (PIAM) solutions bridge the gap between policy and process by employing policy-based automation, deep systems integration and strong auditing capabilities to help organizations comply with the main requirements of GDPR more effectively and efficiently, enabling them to do business in Europe without fear of incurring fines or other penalties.
Automation
As previously mentioned, the process of implementing GDPR requirements across PACS often relies on the human element in the form of incredibly time-consuming and error-prone manual processes. PIAM solutions remove these impediments by applying policy- and rules-based automation to streamline all processes, from identity enrollment through the auditing necessary to demonstrate compliance.
PIAM tracks all of the places information has been propagated making audit and deletion a straightforward process.
Pseudonymization
One of the benefits of PIAM embraced by GDPR (recital 28) is the ability to use pseudonyms to easily obscure individuals’ personal data, which can go a long way toward easing compliance. With PIAM solutions organizations can replace first and last names with a unique ID within identity records. Rather than transmit personal data to PACS systems, this anonymous information is then sent from the PIAM solution rather than individual names and other details. This tactic is not only mentioned in the GDPR regulations but is encouraged – and it’s something that would be difficult, if not impossible to do using the PACS alone.
Why is this important? Because organizations are required to report any breach of personal data to individuals within 72 hours of the incident or face fines. However, this requirement only applies to personal information and is waived if the breached data has been anonymized. Therefore, employing pseudonymization can substantially limit not only risk, but also liability.
Given its power to aid in meeting the requirements of GDPR, the importance of automation cannot be understated, as it serves as the foundation upon which the vast majority of PIAM’s other capabilities are built.
Self-Service Enrollment
In addition to improving security, properly enrolling employees, contractors, visitors and others in a PACS also plays a key role in GDPR compliance. However, there are often delays throughout the process between the initial request and final approval of access privileges – delays which cost productivity and money, while also compromising security.
PIAM solutions allow an organization to create a self-service enrollment process that streamlines the onboarding process. This function can also be used to meet the consent and purpose mandates of GDPR.
During the enrollment process, employees, contractors, visitors and other third parties can be given access to their own profiles where they can view what personal information is being collected for what reason and how that information will be used, and then record each individual’s consent. Capturing this important data at the time of registration or request for access privileges eliminates multiple potentially costly and time-consuming tasks from the GDPR compliance process. Additionally, a self-service portal can also be used to permit individuals to review data collection and usage policies, and give them a portal to revoke consent to have their information stored and used for access control and other purposes, at which time the system will automatically erase any and all data related to an individual – addressing another important GDPR requirement.
Systems Integration
One of the biggest strengths of PIAM solutions is the ability to tie multiple disparate systems together easily to allow information to be aggregated. This encompasses access control, visitor management and other security systems as well as non-security systems like human resources, time and attendance and others. The PIAM solution can serve as the hub for all of these systems, giving organizations a single source for management.
From a security standpoint, the ability to aggregate, sort and analyze data from these disparate systems can prove beneficial in identifying potential behavioral and other patterns that may indicate a potential threat.
There are also numerous operational benefits, including efficiency and cost savings. If manually entering data into a single system is time-consuming and error-prone, imagine the potential headaches of having to do it for multiple systems. By eliminating this need, PIAM enables greater efficiency and decreases or eliminates the potential for human error. Because the same challenges also apply to tracking and removing data, this capability makes it easier for an organization to ensure GDPR compliance.
Today, an individual’s data is typically stored across multiple systems within the security and/or operational ecosystem. This can become problematic when it is necessary to delete an individual’s information, since simply removing it from a single system does not meet the standard established under GDPR. With PIAM, an organization can simply remove the data in question from a single solution and know that it will automatically be removed from all integrated systems simultaneously, satisfying requirements for compliance.
Auditing
As with any regulation, demonstrating compliance with GDPR is vital and must be done regularly to avoid penalties. This can be a daunting task that requires demanding and thorough auditing and reporting. Unfortunately, these critical tasks are often performed using costly, time-consuming and error-prone manual processes. However, non-compliance is not an option, as the potential cost and penalties are even more daunting.
PIAM reduces this strain on an organization’s resources by employing automation that enables efficient auditing of systems and locations, along with the robust reporting capabilities needed to demonstrate compliance. For example, when user consent is recorded or when individual data is automatically deleted from PACS and all other integrated systems when requested in accordance with GDPR, that action is stored within the system. Rather than rely on people to collect and report this information, PIAM allows organizations to generate compliance reports with the click of a button – significantly reducing regulatory reporting costs. This function can also be programmed to be performed at regular intervals to ensure timely reporting and compliance.
In our connected world, privacy has taken on increased significance for everyone, and as a result, governments are enacting regulations and policies to protect individuals’ most valuable commodity – their identity. With less than a year before GDPR takes effect, organizations wishing to do business in Europe must be actively working to put the policies and practices in place to ensure compliance with this new regulation. Non-compliance is simply not an option, given the hefty penalties organizations and their parent companies face. This will no doubt be challenging, but advanced PIAM solutions replace the manual processes often used to perform the tasks required under GDPR with automation, strong integration and thorough auditing capabilities. Organizations can deploy PIAM to effectively and efficiently ensure compliance with the main requirements of GDPR and avoid staggering and potentially catastrophic penalties.
