Take a deep breath. Okay, now process this: we are a mere 365 days until the General Data Protection Regulation becomes enforceable. That’s right, on 25 May 2018, a wave of new regulations embodied in GDPR go into effect with far-ranging consequences for your authentication and identity strategy.
If 365 days sounds like a lot of time to get your act together, seek out, test, and implement technology solutions that will align your organisation to the new regulation…then you’ve either never run a compliance regime or are not familiar with how modern IT works.
It can be done for sure, but you need to get started today. The first step is familiarizing yourself with these five key points about GDPR and your identities:
Identities Become Your Responsibility
With GDPR—even more than the Data Protection Directive 95/46/EC that it replaces—the identity requirements for your organisation are greatly expanded. Weak, static and easily-compromised credentials are going to be heavily scrutinized by auditors wherever they exist today.
The burden of securing and detecting a breach and reporting go up dramatically. You need to focus on understanding where sensitive information exists and who has access to it, then work to secure access between your users and the data using strong authentication.
You Must Go Beyond Passwords
In some cases, way beyond passwords. If you’re reading this as a mandate to implement two-factor authentication (2FA) everywhere, then you’re not quite getting it.
Whilst GDPR does not mandate two-factor and multifactor authentication solutions per se, a careful reading of the regulation leaves no doubt that if you leave simple, static passwords in place and you are breached, the auditors will come for you.
Smart organisations are looking to use the technology-refresh opportunity to get rid of passwords completely. As you plan your GDPR approach, look to eliminate passwords and move instead to more contextual, behavioral and risk-based solutions that deliver more convenient and secure options for your users.
It Doesn’t Matter Where You are Located in the World
Any organisation operating, storing or processing data within the European Union needs to be in compliance with GDPR on 25 May 2018.
That means if your organisation is not located in the EU but you run your data through an EU data centre or store information on EU customers with personally-identifiable information (PII) in the EU, you need to be in compliance with the new law.
This is a wake-up call to companies in the United States, Canada, Singapore, Japan, China, India and more who don’t think GDPR applies. You had better check your data flows. My guess is that more than a few companies are going to have a rude wake-up call next year.
The Fines are Steep…
The GDPR gets the most attention for its eye-opening-fine regime. Fail to be in compliance with the law’s many regulations and components, and you can expect to pay the greater of 4 percent of your global worldwide revenue or €25 million.
…and They Will be Enforced
Early indications are that EU regulators are looking to the enforcement clauses of the GDPR to use as a cudgel, perhaps to make an early example of a few non-complying companies.
Who knows if this is true but in any event, who wants to be the first organisation to suffer the reputational damage of non-compliance and have to explain that to the board?
Getting started today is essential. Whilst the GDPR has created a lot of confusion and uncertainly, one thing is clear: start with understanding where your sensitive data exists and determine who has access to it. Then use this opportunity to tech refresh and eliminate passwords.
Move to a next-generation authentication solution that will serve you well for this and other compliance regimes. Doing so will not only make you breeze through next year without any fear of fines, but will make you an authentication hero for your organisation.
Learn more about Crossmatch can help with GDPR compliance.