Blog

European Union Flag with binary code

The EU General Data Protection Regulation (GDPR) & IAM

Reading time: 5 minutes

With the anticipated publication of the European General Data Protection Regulation (“Regulation”) in 2016, large and small enterprises are beginning to assess how the new Regulation will affect their data protection and privacy compliance programs. The new Regulation will likely affect companies based in the EU and outside of the EU, so it is important for all companies to understand if the Regulation will apply to them, and if so what new requirements and obligations the Regulation will impose.

WHAT IS HAPPENING?

The Regulation will largely replace the existing country-specific data protection laws in the EU and will apply directly in all Member States in order to achieve a greater harmonization in data privacy law. The final Regulation will come after a long process of negotiation and amendments. Recently, the Commission, the Parliament and the Council began negotiating the various proposed amendments to the Regulation. Companies will then have two years to get their privacy house in order before the Regulation will come into effect, on May 25th 2018. Given the anticipated number of changes as result of the Regulation, companies should begin to work on complying with the Regulation sooner rather than later.

IS MY COMPANY SUBJECT TO THE REGULATION?

The Regulation will not only apply to companies established in the EU, but also to companies that process personal data about EU residents where the processing activities relate to the offering of goods or services to such EU residents. Consequently, all companies in the EU and companies that have some connection to the EU will be subject to the Regulation.

WHAT ARE THE RISKS?

Companies subject to the Regulation will face much higher risks than under the existing regimes. The Commission proposed fines of up to 20 Million Euro or up to 4% of the annual worldwide turnover; whichever is higher. The annual worldwide turnover will be based on the group-wide turnover.

HOW CAN WE PREPARE?

There are eight points proposed to help companies prepare for the forthcoming regulation.  Below are some suggestions from an infrastructure and software point of view that can also be beneficial in helping you and your organization prepare.

  1. Evaluate whether the current technology you use to manage access to data, that will fall under the regulation is sufficient. Any given software should be able to generate lists or reports on who has which level of access to any given information, whether it is stored on SharePoint, file servers or Exchange. Examine who in your company handles personal data, more importantly, where it is stored, who is storing it and who is accessing it and how.  What reports or documentation is available to track data and user activity? Are your workflows and processes efficient and compliant? A fundamental step in beginning to become compliant is to restrict access to a need to know basis.  By doing this, you can prevent potential problems before they occur by ensuring only qualified and appropriate employees are handling personal data.
  2. Will you work with external auditors or make someone in the organization responsible for data compliance? If so, you must be able to generate regular and standardized reports to meet compliance needs and be more efficient. It is also important to have a central repository for current and historic access rights management for record keeping purposes. Lastly, you want to ensure that any compliance activity is done as quickly and accurately as possible to avoid further costs and fines.
  3. Any solution and infrastructure analysis will have to point to potential problems or provide the information needed to identify any gaps or structural problems. Closing these structural problems will ensure that any issues do not reoccur.
  4. Most experts recommend beginning the process of preparing for the oncoming regulation as soon as possible. This is because most companies will already have compliance standards that they have to meet and will merely have to fill in the gaps with new requirements the regulation will propose.  This gives any organization time to evaluate the gaps in their current portfolio and fill them accordingly.
  5. Measures and procedures must be in place to deal with data breaches. It is important to first try and prevent any data breaches but equally important, a tool is needed to provide information on the activity of users and data flow.  For example, prior to the breach, who was accessing a file or who changed permission for users or groups?
  6. In order to make sure that you are meeting the necessary compliance measures, a solution will not only have to provide information that is easy to understand but also act as a platform for educating non-technical users. In order to determine which users should have access to data or to determine inappropriate or excessive access, non-technical data owners will have to be involved in the process. If everyone involved is properly trained and informed, further compliancy checks will be faster and easier.
  7. Any auditing and tracking capabilities will have to provide ‘actionable’ intelligence. It does not make sense to record every single activity on any given network as you will be provided with a colossal amount of data that you would then have to shift through.  It makes more sense to provide logs and reports that narrow down the identified activity you wish to track.
  8. Investment will be a necessary aspect in meeting any compliance regulation. As part of the evaluation process, the critical factor in investment will be price to performance ratio.  It therefore makes sense to invest in solutions that make your employees more efficient but also ensure that any further compliance checks perform faster than the previous.

 

WHY SAFEWHERE? 

Safewhere solutions offer native integration between the various identity and access management products, allowing in particular the elimination of all user password management, and access control can be reinforced with strong authentication methods adapted to the usage scenario. In this way, security protects and improves company agility. Our solutions offer access management and can be stored within or outside the company, while remaining under the company’s control.

Safewhere offers a single sign-on experience for any type of user, on any device, for any application wherever it runs, using any authentication method such as AD credentials, national and social media ID’s. The single sign-on is not only a nice to have for the users but, more importantly, it is cost effective, adds security, saves resources and helps to comply with regulations such as GDPR and others. Features relevant to the GDPR regulations:

Reporting: Our reporting capabilities will allow you to provide standardized reports to internal and external auditors to prove that your organization is compliant on who accessed what services from where and at what time.

Security Monitoring: All changes are tracked and audited giving you a complete overview of user access across your environment.

Provisioning:  Using Safewhere allows you to provision users in a structured manner ensuring problems do not occur and significantly reduces time.

According to the GDPR legislation, data breaches and identity thefts need to be reported within 24 hours when judged as a severe case. The reporting company needs to judge if it is a severe case or not. Preparations are needed as you will have to prove that everything is in place to respond upon data breaches and identity thefts. The ability to run instant reports is crucial on what data has been lost, how and when it was lost, who had access to the data and when. Notifying victims is mandatory unless stolen/lost data is encrypted. Safewhere will offer you reports on what data has been accessed and when, including faulty login attempts. Controlling user provisioning is key in this process.

 

ABOUT SAFEWHERE

Safewhere is a Danish software provider specializing in Identity and Access Management. The company was founded in 2012, with the aim to deliver a technology-leading platform for federated identity management.

The Safewhere platform is one of the most comprehensive and flexible federated identity management solutions in the market. It handles all the complexity of connecting an organization’s users and applications and managing the users’ access rights.

Share
We use cookies to collect statistical information in order to improve the website and user experience to match the needs of the majority. You can always delete the saved cookies in your browser settings.
Cookies settings
Accept
Privacy & Cookie policy
Privacy & Cookies policy
Cookie name Active

Privacy Policy

What information do we collect?

We collect information from you when you register on our site or place an order. When ordering or registering on our site, as appropriate, you may be asked to enter your: name, e-mail address or mailing address.

What do we use your information for?

Any of the information we collect from you may be used in one of the following ways: To personalize your experience (your information helps us to better respond to your individual needs) To improve our website (we continually strive to improve our website offerings based on the information and feedback we receive from you) To improve customer service (your information helps us to more effectively respond to your customer service requests and support needs) To process transactions Your information, whether public or private, will not be sold, exchanged, transferred, or given to any other company for any reason whatsoever, without your consent, other than for the express purpose of delivering the purchased product or service requested. To administer a contest, promotion, survey or other site feature To send periodic emails The email address you provide for order processing, will only be used to send you information and updates pertaining to your order.

How do we protect your information?

We implement a variety of security measures to maintain the safety of your personal information when you place an order or enter, submit, or access your personal information. We offer the use of a secure server. All supplied sensitive/credit information is transmitted via Secure Socket Layer (SSL) technology and then encrypted into our Payment gateway providers database only to be accessible by those authorized with special access rights to such systems, and are required to?keep the information confidential. After a transaction, your private information (credit cards, social security numbers, financials, etc.) will not be kept on file for more than 60 days.

Do we use cookies?

Yes (Cookies are small files that a site or its service provider transfers to your computers hard drive through your Web browser (if you allow) that enables the sites or service providers systems to recognize your browser and capture and remember certain information We use cookies to help us remember and process the items in your shopping cart, understand and save your preferences for future visits, keep track of advertisements and compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools in the future. We may contract with third-party service providers to assist us in better understanding our site visitors. These service providers are not permitted to use the information collected on our behalf except to help us conduct and improve our business. If you prefer, you can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies via your browser settings. Like most websites, if you turn your cookies off, some of our services may not function properly. However, you can still place orders by contacting customer service. Google Analytics We use Google Analytics on our sites for anonymous reporting of site usage and for advertising on the site. If you would like to opt-out of Google Analytics monitoring your behaviour on our sites please use this link (https://tools.google.com/dlpage/gaoptout/)

Do we disclose any information to outside parties?

We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information. This does not include trusted third parties who assist us in operating our website, conducting our business, or servicing you, so long as those parties agree to keep this information confidential. We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect ours or others rights, property, or safety. However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.

Registration

The minimum information we need to register you is your name, email address and a password. We will ask you more questions for different services, including sales promotions. Unless we say otherwise, you have to answer all the registration questions. We may also ask some other, voluntary questions during registration for certain services (for example, professional networks) so we can gain a clearer understanding of who you are. This also allows us to personalise services for you. To assist us in our marketing, in addition to the data that you provide to us if you register, we may also obtain data from trusted third parties to help us understand what you might be interested in. This ‘profiling’ information is produced from a variety of sources, including publicly available data (such as the electoral roll) or from sources such as surveys and polls where you have given your permission for your data to be shared. You can choose not to have such data shared with the Guardian from these sources by logging into your account and changing the settings in the privacy section. After you have registered, and with your permission, we may send you emails we think may interest you. Newsletters may be personalised based on what you have been reading on theguardian.com. At any time you can decide not to receive these emails and will be able to ‘unsubscribe’. Logging in using social networking credentials If you log-in to our sites using a Facebook log-in, you are granting permission to Facebook to share your user details with us. This will include your name, email address, date of birth and location which will then be used to form a Guardian identity. You can also use your picture from Facebook as part of your profile. This will also allow us and Facebook to share your, networks, user ID and any other information you choose to share according to your Facebook account settings. If you remove the Guardian app from your Facebook settings, we will no longer have access to this information. If you log-in to our sites using a Google log-in, you grant permission to Google to share your user details with us. This will include your name, email address, date of birth, sex and location which we will then use to form a Guardian identity. You may use your picture from Google as part of your profile. This also allows us to share your networks, user ID and any other information you choose to share according to your Google account settings. If you remove the Guardian from your Google settings, we will no longer have access to this information. If you log-in to our sites using a twitter log-in, we receive your avatar (the small picture that appears next to your tweets) and twitter username.

Children’s Online Privacy Protection Act Compliance

We are in compliance with the requirements of COPPA (Childrens Online Privacy Protection Act), we do not collect any information from anyone under 13 years of age. Our website, products and services are all directed to people who are at least 13 years old or older.

Updating your personal information

We offer a ‘My details’ page (also known as Dashboard), where you can update your personal information at any time, and change your marketing preferences. You can get to this page from most pages on the site – simply click on the ‘My details’ link at the top of the screen when you are signed in.

Online Privacy Policy Only

This online privacy policy applies only to information collected through our website and not to information collected offline.

Your Consent

By using our site, you consent to our privacy policy.

Changes to our Privacy Policy

If we decide to change our privacy policy, we will post those changes on this page.
Save settings
Cookies settings