The first thing that most likely comes to the mind when people hear about GDPR is “consent”. That is understandable, as better part of the buzz around GDPR is about customer identities and digital marketing. But this emphasis on consumer identities is casting shadow on other aspects of GDPR that are at least as much important as consent. One of the aspects of GDPR is affecting much larger range of organizations than consent does. In fact almost every organization is affected by it. I’m talking about management of lawful bases for data processing.
According to GDPR personal data can be processed only if there is a lawful basis for the processing. This applies to all personal data, not just the data about customers. And there are personal data in each organization that are absolutely critical for any organization to do anything at all. Those are the data about employees, contractors, agents, teachers, partners, support engineers … pretty much everybody that keeps the wheels of your organization turning. Those people need to have accounts in your IT systems to be able to to anything meaningful. And unless your organization is a very strange kind of animal those accounts contain personal data. You can process personal data only if you have lawful basis for the processing. This is quite simple to do for employees as employment itself is a good lawful basis for data processing. But what about other user categories? Can you tell whether account “jsmith7” is an contractor, agent or support engineer? And which contract is a lawful basis for processing of data in this account? Is that contract still valid? It is not enough to just believe that there is a lawful basis for data processing. You must be able to clearly demonstrate what exactly that lawful basis is. And you have to be able to do it for every identity, every account, any time. Something like “Oh, I think this is a contractor, I’m sure I have the contract here somewhere” is not going to satisfy your data protection authority. And there is even more important aspect if you are data protection officer or security officer: professionalism. Those professions rely heavily on systematic record keeping. Any deficiency in record keeping is very likely to result in security and data protection violations. Shoddy record keeping practices should not be good enough for any self-respecting data protection professional.
However, there is a good solution. And that solution has been known for years: identity management and governance. Keeping records about identity data is exactly what any good Identity management (IDM) system does. IDM system knows where the personal data are. Good policy-based IDM system also knows why the data are there. Identity management system makes is also quite easy to delete or archive the data when there are no longer needed. This is important especially for data that do not have strict lifecycle, such as data about contractors, support engineers, suppliers, partners, …
Evolveum midPoint is an IDM system that is up to the data protection challenge. And as most good IDM systems midPoint has policy and record-keeping features. You can deploy midPoint today and get excellent identity management and governance features out of the box. However, there are some challenges that are quite unique to the data protection domain. MidPoint is one of very few IDM systems that have clearly taken the path to support data protection use cases. Some of the data protection challenges will be addressed by midPoint 3.7 release which is planned later this year. Vast majority of the work is done, but there are still few more thing to do to get a complete set of data protection features. Feature design is ready, development team is prepared, all that is needed is funding. There is still time. MidPoint release 3.8 is planned for spring 2018. So, there is still a bit of time to fund those features to have them ready before GDPR becomes enforceable in May 2018. But that time is running out. And midPoint development follows the same basic rules as everyone else: first come, first serve.