Take a deep breath. Okay, now process this: General Data Protection Regulation is enforceable on May 25, 2018. A wave of new regulations embodied in GDPR goes into effect with far-ranging consequences for your authentication and identity strategy.
If you haven’t yet, it is now time to get your act together, seek out, test, and implement technology solutions that will align your organization with the new regulation. It can be done, but you need to get started today. The first step is familiarizing yourself with these five key points about GDPR:
1. Identities Become Your Responsibility
With GDPR—even more than the Data Protection Directive 95/46/EC that it replaces—the identity requirements for your organization are greatly expanded. Weak, static and easily-compromised credentials are going to be heavily scrutinized by auditors wherever they exist today.
The burden of securing and detecting a breach and reporting go up dramatically. You need to focus on understanding where sensitive information exists and who has access to it, then work to secure access to your users and the data using strong authentication.
2. Go Beyond Passwords
In some cases, way beyond passwords. If you’re reading this as a mandate to implement two-factor authentication (2FA) everywhere, then you’re not quite getting it.
While GDPR does not mandate two-factor and multifactor authentication solutions per se, a careful reading of the regulation leaves no doubt that if simple, static passwords are in place and you are breached, the auditors will come for you.
Smart organizations are looking to use the technology-refresh opportunity to get rid of passwords entirely. As you plan your GDPR approach, seek to eliminate passwords and move instead to more contextual, behavioral and risk-based solutions that deliver more convenient and secure options for your users.
3. Business Location Doesn’t Matter
Any organization operating, storing or processing data within the European Union needs to be in compliance with GDPR on May 25, 2018.
That means if your organization is not located in the EU, but you run your data through an EU data center or store information on EU customers with personally-identifiable information (PII) in the EU, you need to be in compliance with the new law.
This is a wake-up call to companies in the United States, Canada, Singapore, Japan, China, India and more who think GDPR does not apply. You had better check your data flows. My guess is that more than a few companies are going to have a rude wake-up call next year.
4. The Fines are Steep
The GDPR gets the most attention for its eye-opening-fine regime.
In addition to any country-imposed penalties, compliance failure induces EU fines on two levels: 1) In case of neglect of obligations by the data processor, such as certification and monitoring, companies are levied the greater of €10 million or 2% of annual revenue; or 2) the greater of 4% of global annual revenue or €20 million in cases of infringement of consent rules, international transfer of private data and transgressions regarding individuals’ data privacy rights, among others.
5. Fines Will Be Enforced
Early indications are that EU regulators are looking to the enforcement clauses of the GDPR to use as a cudgel, perhaps to make an example of a few non-complying companies.
Who knows if this is true but in any event, who wants to be the first organization to suffer the reputational damage of non-compliance and have to explain that to the board?
Getting started today is essential. While the GDPR has created a lot of confusion and uncertainty, one thing is clear: start with understanding where your sensitive data exists and determine who has access to it. Then use this opportunity to tech refresh and eliminate passwords.
Move to a next-generation authentication solution that will serve you well for this and other compliance regimes. Doing so will not only make you breeze through next year without any fear of fines but will make you a GDPR authentication hero for your organization.
Learn more about Crossmatch can help with GDPR compliance.
Marcin Majchrzak is the Regional Sales Manager for Europe at Crossmatch Technologies focusing on their Composite Authentication technology. He has over 10 years of experience in the technology industry working both for industry leading giants such as Intel where he was responsible for some of their key customers. Marcin’s experience also includes working at agile, fast growing technology start-ups such as Avecto where he was part of the team successfully helping Fortune 500 customers achieve the secure state of “least privilege” through implementing their award winning privileged access management solutions. Marcin has a B.A. from the University of Lodz and is fluent in English, German and Polish.