Four years ago, the European Union (EU) launched the General Data Protection Regulation (GDPR). The regulation was designed to ensure companies are held accountable for securing and protecting consumer data. The regulation proved to be influential, inspiring similar legislation in the U.S. and other territories.
While it has improved the privacy rights for millions, major complex data challenges remain today.
In light of the anniversary of GDPR, Chad McDonald, Chief of Staff and CISO at Radiant Logic, explains to Digital Journal what these challenges are and why they matter from the business perspective.
McDonald begins by considering the complex nature of the modern firm and the vast amount of electronic data generated. He notes: “Due to the rise in digital transformation efforts, we are seeing an explosion in the number of digital identities businesses store, which makes controlling and managing identity data much more difficult.”
As an example, McDonald says: “Unfortunately, when organizations struggle to manage identity data, they are at risk for breaking GDPR rules by failing to keep identity data accurate and minimized, not to mention are more vulnerable to cyber criminals.”
The complexity continues, with McDonald noting: “Organizations have been scattering their identity data across multiple sources and this identity sprawl results in overlapping, conflicting or inaccessible sources of data. When identity data isn’t properly managed, it becomes impossible for IT teams to build accurate and complete user profiles.”
Furthermore, McDonald says: “It can also result in siloed systems which increases the likelihood of a failure in identity management and expands the attack surface of an organization.”
Recent cases demonstrate this: “For example, Bocconi University was fined $214,000 after the Italian Data Protection Authority discovered that the same student information had been placed into multiple, fragmented documents – violating the GDPR principles of fairness, transparency and lawfulness when it comes to data processing. Poor identity management practices provide gaps for threat actors to exploit.”
McDonald draws on further examples to make his point: “In addition to minimal visibility across data sources, businesses also lack control. Without accurate user profiles, security teams and systems are unable to figure out what users should be accessing in order to fulfil their job. The most notorious GDPR fine was incurred by British Airways, which was over $50 million for failing to limit access to applications, data and tools. With some of the largest enterprises being found guilty of breaking GDPR rules, it is time organizations look to sanitize and streamline processes when it comes to Identity Access Management.”
There are measures business units can take, and McDonald recommends: “Using an Identity Data Fabric, organizations can unify identity data into one easy-to-use global profile which can deliver identity data, on-prem or in the cloud, in real-time from wherever and whenever needed, on-prem. With accurate identity data, security teams have complete control over who has access to what, and they can feel more confident that they’re meeting all the GDPR regulations.”