midPoint and GDPR

General data protection regulation (GDPR) is all about good management of identity data. And that is exactly what identity management (IDM) technologies do. Also, it is unlikely that GDPR compliance can be effectively implemented without any support from the technology. And that’s where IDM systems come in again. Overall, IDM technologies are almost perfect fit for GDPR compliance. But how exactly can identity management system such as our very own midPoint help with GDPR?

Identity management systems are excellent record keepers. When IDM system is deployed properly then all operations over the identity data are managed or monitored by IDM system. IDM systems such as midPoint keep data and meta-data about those operations. Therefore, midPoint knows what happened, when it happened and how it happened. MidPoint keeps a record of the operation. But the data also works the other way around. For every account midPoint can tell exactly why that account is there – what is the reason the identity data are recorded and processed. And that is exactly what GDPR mandates. GDPR does not allow processing of personal data without a lawful basis. And midPoint can keep records about the lawful bases for data processing for every single account in every system. Keeping records about identity data is something that midPoint does already and it does that well. It is something midPoint was designed for. This just needs to be adapted to the specific requirements of GDPR.
When you read almost any article about GDPR there are few words that are repeated over and over again. Word “consent” is definitely one of them. It is not difficult to get an impression that GDPR is all about consent. But it is clearly not true. Consent is undoubtedly an important part of GDPR regulation. But from a data management perspective consent is yet another type of lawful basis for data processing. It is not fundamentally different from other lawful bases. Therefore, midPoint can process consent data quite easily. User wants to revoke a consent? No problem. MidPoint knows the “scope” that the consent was given for. It can easily compute which accounts need to be deprovisioned, which attributes erased and which services disabled. This is what midPoint was built for.

There are other two aspects of GDPR that often get overlooked: right to data rectification and erasure. The data subject has a right to request correction of the data or complete erasure of the data. MidPoint can easily do both. That is what a good IDM system does. MidPoint propagates the data to all the target system – based on the configuration and the requirements of the lawful bases for data processing. When the primary data are updated then midPoint automatically propagate the change when needed to keep all the data up to date. MidPoint knows where the data are because it is keeping the records. Therefore when the user submits data erasure request then midPoint can easily erase all the data records.


The really important things here is that there are much more benefits to IDM deployment than just GDPR compliance. Proper management of personal data as mandated by GDPR is just one of many things that IDM systems such as midPoint do. But there is much more. Good IDM solution is the key to speed up IT processes, enable new services and improve time-to-market. But perhaps most importantly, IDM is a necessary component of vast majority of IT security solution. It is almost impossible to maintain proper enterprise IT security without a good IDM system. It is always a good idea to consider deployment of identity management solution. And GDPR is an excellent opportunity to do so.

Leave a Reply

Your email address will not be published.