It’s nearly a year after the GDPR went into effect, and the sky is still above us. The sun is even shining—just not on everyone quite yet. In this post, we’ll take a look at what clouds remain, and how digital identity can help clear them up.
Last year we shared two blog posts about why GDPR matters, including a primer and a list of GDPR considerations when selecting an analytics solution. Heading into the anniversary of the GDPR taking effect, we’re starting to learn what its impact on enterprises has been like so far.
There’s lots of good news. Cisco’s 2019 Data Privacy Benchmark Study digs into the investments that enterprises have made in privacy compliance, and reports that organizations investing in privacy are seeing returns beyond demonstrable GDPR compliance. While this is nothing to sneeze at—being able to demonstrate GDPR compliance is critical to its successful adherence and avoiding the significant potential penalties—there are other, quantifiable benefits as well.
The report finds that GDPR-compliant companies are less likely to experience a data breach, and when they do, the impact of the breach is less severe. They also experience fewer delays in the sales cycle due to customer privacy concerns.
In addition, GDPR-compliant companies report that having data controls in place enables them to be more agile and innovative, provides a competitive advantage, and achieves greater organizational efficiencies. Better data means better results.
But the Struggle is Still Real
So where are organizations struggling? The Cisco report found that the most significant challenge (cited by 42% of respondents) is “meeting data security requirements.” Perhaps this isn’t surprising: Article 5(1)(f) states that data must be processed “in a manner that ensures appropriate security of the personal data,” which some contend is vague.
Recital 38 provides additional information, however, stating that controllers and processors “should evaluate the risks inherent in processing and implement measures to mitigate those risks.”
This risk-based approach to information security isn’t new. Information security’s come a long way—it’s already ditched the cigarettes and competed in several triathlons. Industry standards, certifications, and best practices abound, and the GDPR leaves it to the professionals to adequately protect the data it collects, processes, transfers, and stores. That means organizations are free to choose solutions that support their own policies and processes, and that’s a good thing.
Digital Identity as a Foundation for Compliance
In an earlier blog post, we examined the MicroStrategy Analytics and Mobility Platform against six considerations recommended by PwC in selecting an analytics vendor. The MicroStrategy platform also provides digital identity that provides a foundation for compliance by enabling:
- Authentication: verifying the identity of users accessing the system
- Authorization: ensuring authorized users have access to the right data
- Accountability: the organization has visibility into the accessed data for reporting, investigating potential breaches, and verifying access accuracy
Digital identity as a credential in a mobile app on a modern smartphone can generate a great deal of data, including access events and related telemetry, so organizations considering mobile-based digital identity credentials should look for flexibility in how to control what data is used, collected, stored, and analyzed.
For example, MicroStrategy provides granular controls to allow organizations to collect only the data required for appropriate use of the digital identity credential, in keeping with the Regulation’s data minimization principle (Article 5(1)(c)).
Another opportunity to be gained with mobile digital identity credentials is in choosing one that has the ability to leverage existing access control systems and directories, so data that already exists, such as user records in Active Directory, can be leveraged. This contributes to both the data minimization and accuracy principles of the GDPR.
In addition, a digital identity credential that can serve as authentication to physical access control systems and for logging into enterprise applications means that all the related data is available in one place. In traditional systems, data from physical and logical systems is siloed, limiting its value. When combined, this data can be immensely valuable, particularly to the organization with world-class enterprise analytics to leverage it. Controlling access to this data is critically important.
If your organization is still weathering the dark clouds of GDPR data protection compliance, take a look at your organization’s foundation of identity and user authentication. Digital identity isn’t going to solve your GDPR challenges, but building on a shaky foundation of inflexible, outdated, or otherwise inadequate means of authenticating and authorizing users will make compliance difficult, if not impossible. That’s not the risk-based approach the GDPR is going for.