I LOVE GDPR ♥ Security is everyone’s concern. Edouard PHILIPPE Since 25 May 2018, the General Data Protection Regulation (GDPR) has been applied for all European Union countries. The main objective of this regulation is to standardize the protection of individuals’ personal data. The GDPR is clearly a technical, legal and organizational subject. In my opinion, this regulation is an undeniable opportunity to control our data and to regain control of our digital life. It is a beautiful tool that will however be necessary to support. As a reminder, Article 4 of the GDPR ([01]) specifies that personal data must be considered as information relating to an identified or identifiable individual. Personal data also includes information (made anonymous or not, encrypted or pseudonymised) whose grouping allows the precise identification of a person. The GDPR applies to companies as well as administrations and communities. Each “organization” can have personal data (at least human resources data) in different databases… which must be aggregated in order to have a complete and accurate view. In article [02] published on Systancia’s blog, our Scientific Director Frédéric Pierre introduces the Systancia Identity product, formerly Avencis Hpliance as a flexible and efficient solution for Identity and Access Management. For organizations with multiple databases containing this type of data, it is indeed important (and necessary to optimize time) to centralize them via the Systancia Identity tool in order to have a global view on data considered personal, owned by an organization. Returning to the GDPR and in particular the principles relating to the personal data processing (Article 5 in [01]): Lawfulness, fairness and transparency principle: all personal data processing must correspond to what has been described to the person concerned; Purpose limitation principle: the collection of personal data must be made for “specified, explicit and legitimate” purposes; Data minimization principle: with regard to the processing carried out, the data processed must be “adequate, relevant and limited to what is necessary”; Accuracy principle: personal data must be “accurate and, if necessary, kept up-to-date”; Limitation of conservation principle: personal data must be “kept […] for no longer than necessary for the purposes for which they are processed”…; Integrity and confidentiality principle: personal data must be “processed in such a way as to guarantee appropriate security”. Thus, in accordance with [02], Systancia Identity, Systancia’s IAM (Identity & Access Management) solution, supports the implementation of the GDPR in terms of authorizations and permissions management. This solution offers the possibility to centralize the identities and permissions of an organization’s members but also to create rectification and deletion processes. The Systancia Identity solution also allows to easily and quickly respond to the right of access and rectification for each request made. Indeed, the GDPR provides for any person to have access to all (and know the origin) the information concerning him or her and to require that this data can be rectified, completed, updated or deleted. Systancia Identity manages the life cycle of digital identities (all the information characterizing individuals on organizational structures) by automating the “upstream” provisioning as well as the provisioning of local and cloud applications. Finally, as previously announced, Systancia Identity also automates the execution of information flows and validation circuits. Systancia Identity solution creates a single central repository and thus provides a technical response adapted to the following GDPR principles: Legal and transparent processing: Systancia Identity provides in a printable format, via the “Identity Record”, all the elements owned by an organization on all connected databases; Purpose limitation: personal data are collected and processed only for a specific and legitimate use, namely the management of permissions and authorizations; Data minimization: Systancia Identity’s (OrBAC) Authorization Management Template allows a simple modeling of organizations and the definition of automatic permission assignment rules. Thus only data useful for processing are used; Accuracy: Systancia Identity controls the integrity of information through data reconciliation and orphan/specific account identification mechanisms; Limitation of conservation: Systancia Identity offers (on demand by dedicated scripts) the possibility to delete personal data from the databases connected to the solution. Finally, it should be noted that all modification, deletion and/or assignment operations carried out through the Systancia Identity solution are traceable and therefore possibly auditable by a third party. In conclusion, Systancia Identity is a flexible and efficient [02] identity and access management solution that is also effective in establishing and maintaining the compliance with the many complex requirements of the GDPR. References [01] Regulation (EU) 2016/679 of the European Parliament and of the Council from April 27, 2016 (https://www.cnil.fr/fr/reglement-europeen-protection-donnees) [02] IAM GDPR (https://www.systancia.com/iam-gdpr)
How to best respond to Privileged Access Management regulations & directives PAM cybersecurity regulations