IDM 360™ Support for General Data Protection Regulation
The EU General Data Protection Regulation (GDPR) is an important regulation addressing the protection, access and control of personal information (PI) for European citizens. GDPR was approved by the EU Parliament on April 14, 2016. It goes into full enforcement mode on May 25, 2018. At this point organizations that are found in non-compliance may face heavy fines.
How can IDM 360™ help comply with the GDPR?
The GDPR has many components associated with data protection, security, access and portability. IDM 360™ features allow for strong protections that greatly aid GDPR compliance. Main features of GDPR addressed by IDM 360™ include:
User consent (opt-in) is required to process personal information unless specifically mandated by law or regulation. IDM 360™ provides flexible user registration that can obtain and record opt-in during general registration or after the fact.
User information needs to be disassociated from the subject (user) either through encryption or tokenization. IDM 360™ provides several mechanisms for this including:
- Directory Encryption: sensitive user attributes are encrypted in the directory at rest via strong encryption algorithms
- Tokenization: Unique, meaningless user identification numbers are generated for each user that have no relation to the user identity. These ids can be used as primary identifiers (keys) for the user.
- Persistent IDs: User ids can be translated during signon to unique, unidentifiable ids that allow the user to map their login to an otherwise anonymous user ID. This prevents the system from associating accounts with specific people.
Right of Access
User have the right to request their personal information. The IDM 360™ unified directory can provide user reports as well as facilitate self service reporting.
The European Union Agency for Network and Information Security (ENISA) recommends the use of two-factor (multi-factor) authentication to protect user identity as part of the GDPR. IDM 360™ offers multiple forms of multi-factor including one-time PIN, time-based one-time PIN, CAC card, smart card, secret questions, and knowledge of personal details as well as integration with popular push-based factor system (e.g. DUO™).
Right of Erasure (‘Right to forget’)
Users have the right to have personal information erased/removed under a variety of conditions. The most common being their relationship ends with the entity storing the personal information. IDM 360™ facilitates erasure in the following ways.
- When all user identity is centralized in Unified directory, there is a single source that can be managed, allowing quick removal of user information
- The IDM 360™ SyncFire™ automatically detects users that have been removed from incoming data feeds and implements policies that can first deactivate the user, then delete them after confirming that they have been inactive for a preset length of time.
- Combining erasure with pseudonymization (above) provides a very effective way to “forget” users after their data is no longer required.
Users have the right to request their (non-anonymous) data to be transferred to other electronic systems. IDM 360™ allows both sophisticated reporting to extract info as well as outbound feeds/self-service via SyncFire™ to securely extract user info.
GDPR requires comprehensive protection of user data by design and by default. The IDM 360™ Unified Directory provides sophisticated access control build in to restrict user information access based on policy. The IDM 360™ administrative console allows for multiple layers of delegated administration which makes sure that help desk personnel, system administrators and designated customer administrators have access to only the information needed to perform their jobs.
GDPR requires organizations to keep records of processing of personal information IDM 360™ provides comprehensive audit trails of each step of user identity management allowing a complete record.
How can AssureBridge help your organization navigate the GDPR?
With over 25 years’ experience securing sensitive financial and government entities personal information. AssureBridge professional services is uniquely qualified to provide practical, expert advice on securing, auditing and managing personal information. Please contact us for more information.