General Data Protection Regulation (GDPR) is an European regulation with an intention to strengthen and unify the data protection for all individuals within the European Union including export of personal data outside. It is an replacement of Directive (95/46/EC), aiming on giving the control over data back to people. It becomes enforceable from 25 May 2018.
What does it take to comply?
The GDPR significantly changes the way organizations approach the data protection. It requires great changes in how the data is stored. Also existing security models have to evolve and address requirements, including:
Consent: A condition to lawful processing. It must be specific, informed and given freely. When processing is based on consent, the organizations must be able to demonstrate it was given by the individual to the processing of personal data. The data subject also has to have a right to withdraw the consent to processing any time and through the same medium as it was obtained.
Breach notification: The organization has to be able quickly react to the data breach. It needs to determine the extent of the breach and notify the authorities in 72 hours.
Right to be forgotten: The data subjects have the right to require deletion of all their personal data.
Accountability: The data controllers must be able to demonstrate compliance with the GDPR. This includes documentation, system and technical compliance and personnel (DPO).
Right to access: The data subjects can ask for access to their personal data. They can also ask the controller when and where the data is processed and for what purposes.
Data transfer and portability: The data subjects can ask for a transfer of their personal data to another organization. The copy of their personal data must be in a commonly used machine-readable format.
Data protection by design: Each new service or business process which uses the personal data must be secure enough to protect them.
Are you in range?
The regulation applies to organizations processing personal data in an automated way or through a filing system. It concerns EU controllers and processors which process personal data of EU citizens. One would think that what happens in Europe stays in Europe, right? Well, not this time as the impact is literally global. The regulation also applies to all organizations, which are not part of the EU but are offering goods or services to EU individuals (even if for free) or are monitoring their behavior. For example if there is an university in the USA attended by European students, it has to comply with the GDPR.
Underestimation is expensive
Not complying with the GDPR can cause serious damage to any organization regardless its size. The fines can be up to 4% of annual global turnover or 20 million euros, whichever is higher. However, that is not the only problem. Just think of the organization’s reputation after information leakage.
All you need is…
The GDPR is all about good management of identity data and that is exactly what identity management technologies can easily help with. It is also improbable the GDPR compliance can be effectively implemented without any support from the technology and that’s where the IDM systems can be more than helpful again.