GDPR : Identity and access governance for your compliance
You surely have already heard about GDPR (General Data Protection Regulation). It is the new European regulation about the protection of the personal data that applied on the 25th of may 2018
The GDPR is usually seen as a new constraint that will slow the growth of companies. However, by taking some distance, we can understand that today, data is a major strategic asset for companies. It is also known as the new black gold of the digital economy. The individual is a big consumer of data, but he’s also very vigilant about the use of his data and the respect of his privacy. That’s why we need to see the GDPR as an opportunity to lead the growth related to the use of data.
We will not come back on all the regulatory measures and the different economic sanctions that are related to them (Editor’s Note: up to 4% of the world turnover of the company). It exists many articles that explain the implementation of the register of processing operations, internal process organization, … about the respect of personal data, the CNIL (National Commission for Data Protection and Liberties) suggest an approach you can refer to : https://www.cnil.fr/fr/principes-cles/rgpd-se-preparer-en-6-etapes.
Here we’re doing a particular focus on the security aspect and data confidentiality. One of the axes suggested by the CNIL is the correct accreditation managements (https://www.cnil.fr/fr/principes-cles/rgpd-se-preparer-en-6-etapes). This correct identities and access management is also a suggestion of the ANSSI (National Cybersecurity Agency of France) in its « Guide for the informatic hygiene » (https://www.ssi.gouv.fr/uploads/2017/01/guide_hygiene_informatique_anssi.pdf), a guide where the information system needs to be seen as the « Cradle of your identities data ».
Suggestions about rights revisions are also formulated in the DPSI initiative (Personal Data and Information System) proposed with the contest of France (http://www.cigref.fr/wp/wp-content/uploads/2017/11/CIGREF-GT-AFAI-CIGREF-TIF-Donnees-Personnelles-et-Systemes-d-Informations-GDPR-2017.pdf)
All of the analysis are converging to the same observation: it is essential to limit access to the only data the user need. That consist in :
- A correct definition of users accreditations;
- The access removal of users when they’re not anymore legitimately accredited to access the informatic resource (After being promoted for example or at the end of their work contract);
- The realization of the periodical revision of accreditations in order to identify and remove accounts that are not used and realign the granted access of the functions of each user.
Those measures that are good practice for the compliance to GDPR, are perfectly usable in the industry with a software solution specialized on this subject since more than 10 years.
Taking the rights measures in terms of protecting personal data, it’s also choose the tools that will makes you earn time with the audit and the accreditations revisions.
The rights revision is very essential and must be carried by the professions. Seize the opportunity of this implementation to cover a perimeter of rights revision that will go further than the personal data access. By mastering the accreditations on your information system, that’s your risk perimeter that you reduce.
Here is the Kleverware interview at BFM Business (Subtitled )
Here is a summary of the Kleverware interview with the video at BFM Business : https://bfmbusiness.bfmtv.com/le-tete-a-tete-decideurs/les-profonds-changements-qu-impose-la-mise-en-place-de-la-rgpd-1429287.html (French link)