IAM First: Your Best Approach to GDPR Readiness

The effort to achieve compliance is significant. The fines for failing can cripple a business. The deadline is getting closer every day. With all those factors in place, preparing for the General Data Privacy Regulation (GDPR) is a top business priority.

When it comes into effect in 2018 on May 25, GDPR will change many of the ways organizations handle the collection, management and retention of customers’ personal information. Though it is primarily aimed at improving privacy protection of European Union citizens, GDPR will also apply to companies elsewhere that have operations in the EU. The penalties for violating GDPR could include up to four percent of a company’s annual revenues.

Despite the urgency, many businesses are either falling behind on GDPR compliance or unsure of where they stand. A survey from the World Federation of Advertisers, for instance, shows that 70 percent of companies are not fully aware of the regulations and what’s needed. Another study from consulting firm PwC says U.S. companies may spend $1 million or more on GDPR readiness, even though the firm’s experts are warning that most firms have started too late.

Fortunately, there are actions organizations can take today to accelerate GDPR readiness. KuppingerCole Lead Advisor & Senior Analyst, Matthias Reinwarth, is cited in ComputerWeekly as saying that a strong identity and access management (IAM) strategy will go a long way towards helping address some of the GDPR compliance issues. That’s because IAM is based on knowing who is accessing a particular system, whether they are authorized to do so and providing deep visibility into how information is handled in different business contexts.

Do’s and Don’ts of GDPR Readiness

Do: Map Out (And Monitor) The Complete Customer Journey

Step one in protecting personal information is developing a better understanding of how it is gathered, shared and used across the enterprise. IAM is proving valuable in securing data about customer identities to improve the overall experience, and it can do the same to assist with GDPR readiness.

Don’t: Approach IAM as a GDPR Checklist Task

More than just a tool for proving GDPR compliance, a comprehensive IAM strategy is an opportunity to build an agile security posture that can adapt to changing threats and network footprints. According to Reinwarth, the best reason to have an IAM strategy is not just to comply with GDPR, but also to deepen businesses’ relationships with customers by improving security through better management of customer identities. He says, “It is important to recognise that customer identity is at the core of most modern business processes and that customer identity management will be a key enabler for many organisations, or to put it the other way around, businesses that do not do that will fail, or at least fall short.”

Do: Take Your IAM Strategy Beyond Just Multifactor Authentication

Protecting personal information on dynamic threat landscapes takes dynamic, risk-based policies that are sustainable beyond the GDPR deadline. To balance strong identity management and frictionless customer experiences, organizations need to optimize security for every app and every user, everywhere and at any time. Just as organizations’ responsibility to GDPR doesn’t end on May 25, IAM doesn’t stop at two- or multifactor authentication and can cover every possible use case from single sign-on to mobile and cloud apps to VPN.

Do: Choose A Credible, Trustworthy Partner to Tackle GDPR Readiness

Most companies will not be able to handle the emerging privacy requirements completely on their own. A leading provider of IAM, Crossmatch can smooth the path to GDPR compliance through a range of technologies, industry expertise and a proven track record. Contact Crossmatch to learn more.

Jeff Carpenter is Director of Identity and Access Management solutions at Crossmatch. In this role, he is responsible for evangelizing Crossmatch’s DigitalPersona® solution. In his 10+ years in cybersecurity, Jeff has held positions with a number of top tier cybersecurity and technology companies, most recently he was with RSA, a Dell Technologies company. Jeff earned a Bachelor of Science degree in Business Administration from Creighton University in Omaha, Nebraska. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.

Authentication 2023: How You’ll Logon in 4 Years
5 Things You Need to Know to Become a GDPR Authentication Hero
CJIS Compliant MFA for First Responders