GDPR 12 Months In
GDPR came into force a year ago, preceded by several years of preparations for many organizations. What are the lessons learned from GDPR fines at the one-year anniversary and how can IGA processes support your GDPR compliance?
By Anne Dorthe Gyldenkærne, VP Marketing and Communications
GDPR 12 Months in: Fines Based on IT Audits, not Just Data Breaches
GDPR came into force a year ago, preceded by several years of preparations for many organizations. But also, with some doubt about which controls needed to be in place to be compliant. This has left a lot of organizations holding their breath as to what would happen after May 25, 2018.
During this process many organizations identified many gaps in their current access governance policies for privacy data. With the regulation organizations must be able to prove that they are in control of who has access to what and give appropriate reasons for why they were initially granted access in the first place. Many organizations have implemented additional procedures to ensure they are fully compliant, and able to prove such compliance to auditors.
Heavy Fines are Enforced for Non-Compliance
One of the first GDPR fines for non-compliance with GDPR went to the German company Knuddels.de, a German social networking site, that leaked 808,000 email addresses and over 1.8 million usernames and passwords. Fine: €20,000 (USD22,000). What is even more interesting and surprising is the fine of €400,000 (USD450,000) for Centro Hospitalar Barreiro Montijo, a Portuguese hospital imposed based on an audit by the Data Commission. The authorities found that 689 non-clinical users were registered as physicians and could therefore access confidential patient data which they had no need for in their job role. In addition, a total of 985 active users with a "doctor" profile were registered in the system, although in 2018 only 296 doctors had been assigned to the hospital. The hospital has attempted to explain the discrepancy with temporary profiles in the framework of a service contract.
The audit also stated that the hospital operator "deliberately" ensured, that users with "technical" profiles in the IT systems could access data that should only be accessible to doctors. A test determined that a technical profile within the framework could be created with unlimited access.
Continuous User Access Control a Minimum Requirement in GDPR
The ability to properly control access to privacy data has become a minimum requirement for organizations to operate, in public as well as private organizations. Not only are large financial penalties at stake as in this case, but there is also the risk of reputational damage. Being in control of privacy data is now a license to operate.
Learnings from the Portuguese example shows that a key part of becoming GDPR compliant involves ensuring all active user accounts are assigned to employees or contractors that are still working for the organization, and that the levels of access they have been previously granted are still relevant. Accounts that have not been disabled or deleted when an employee or contractor has left the company – are a significant compliance and security risk, potentially allowing ex-employees and outsiders to access or corrupt business-critical information. Insider attacks show that organizations must regularly compare all active accounts with HR, and current full time and temporary worker records, and remove access for those that no longer work for them.
Implementing Controls are Key to Access Compliance
The GDPR audits revealed that organizations need to be in control of their user accounts and to document that they have real time policies and procedures. Organizations must ensure users are onboarded correctly, for their role and position. They must also ensure that any additional access rights granted to them during their career progression are appropriately tracked and managed with all access rights revoked once they leave the organization. Additionally, segregation of duties policies should be implemented to prepare for potential access conflicts that might occur when additional access rights are granted. Access to multiple systems, as seen in the $17 million fraud case of a Danish welfare worker – showed that inappropriate access rights can enable employees to commit fraud and only best practice processes can avoid this.
Automate Your Processes for Managing and Monitoring Access Compliance
Implementing processes for controlling, managing, and auditing access to data continuously is an important prerequisite to reduce risk to your everyday business. It is a prerequisite to comply with GDPR and by implementing an Identity Governance and Administration (IGA) system it is possible to ensure continuous compliance with the data security and access management aspects of the GDPR.
IGA solves essential GDPR challenges related to access control and transparency while enabling organizations to improve security and compliance but also manage users’ access rights efficiently.
IGA systems allow organizations to control users’ access to IT systems while determining and documenting when and why access was granted. Your organization will be able to prove to the authorities that your organization can control and govern identities and protect sensitive data and complying with GDPR by having IGA technologies in place.
Examples of IGA processes that support your GDPR compliance:
- Identify/ classify in-scope GDPR data processes and repositories, and assign data- /system-/process- owners
- Establish identity lifecycle management processes - including processes for managing user access to privacy data when onboarding and off-boarding new employees and contractors
- Establish access management processes – documented access request, access approval and access fulfillment processes
- Establish periodic review of user access rights to privacy data in order to ensure access is validated continuously
- Ensure continuous protection of privacy data through efficient role and policy management
- Establish workflows on taking new systems or data stores in to use to ensure timely GDPR classification of the systems
- Monitor user behavior and activity on processes, systems, and files containing GDPR data
- Enable automatic blocking of compromised accounts
- Provide detailed reports and analysis of identities and their effective access models, with highlights of potential risks within the organization - for audits and stakeholder reporting
- Implement processes that initiate automatic actions for notification flows and forensic analysis for fast off-boarding and blocking of compromised accounts based on identity and access data reports
Implement Best Practice IGA Processes
Omada’s identity management and access governance solution provides core capabilities built in as best-practice standards for access management and control, audit reporting through meeting the GDPR audit requirements, and efficient detection of security violations.
Core processes of Omada Identity Suite include identity lifecycle management, managing user access to privacy data, processes for correct onboarding and off-boarding of new employees and contractors when they join and leave the organization. The processes also include access governance for monitoring and reviewing of user access rights to privacy data - enabling your organization to maintain continuous compliance and help you meet the GDPR requirements.
Omada has gathered all these best practice IGA processes in a 100 pages e-book, that describes the most important processes needed to ensure a successful IGA deployment. The framework has been developed with the goal of supporting successful IGA projects and was created to help organizations implement well proven best practice processes. Implementing best practice processes reduces the need to re-invent the wheel. It minimizes the risk of over-engineering and prevents implementing processes that are unproven and flawed and ensures that the various stakeholders are taken into account. Download the e-book here.
Omada | May 2019
EU GDPR E-Book
Omada GDPR access governance solution can be quickly implemented. Download Omada's E-book on GDPR Access Governance to learn how you can achieve GDPR Access Compliance.
Blog: Solid access management is never too late to implement
Incidents at well-known companies such as British Airways, SunTrust or Yahoo! are still making headlines, but the majority of attacks and their impact remain largely unnoticed.