Three years ago, a monumental and international law went into effect that reflected consumers’ desire for data privacy: the General Data Protection Regulation (GDPR) in the EU.
It was designed to significantly change how businesses handle customers’ personal data, though that hasn’t become a full reality. Compliance has certainly not been absolute, and as the increasing fines reveal, some organisations are struggling. But achieving GDPR compliance is possible, and a modern identity governance strategy can help tremendously.
Compliance Challenges
The compliance struggle continues three years later, which speaks to GDPR’s wide-ranging requirements with a very broad organisational reach and potential negative impact on corporate efficiency. Organisations face severe fines and reputational damage as a result. A GDPR fine can run up to 4% of annual global revenue, depending on the severity and circumstances of the violation. The GDPR’s enforcement agency issued more than €169 million (£144.8 million) in fines in 2020.
A sobering real-life example comes from Amazon, which has been handed a €359 million (£307.7 million) fine for GDPR violations related to the company’s collection and use of personal data. If it holds, this fine will be the largest GDPR penalty so far. And though a company like Amazon can surely afford the financial hit – and isn’t likely to suffer much in the way of reputation, either – most companies can’t.
Any company that offers its website and/or services to EU citizens must comply with GDPR.
Implementing identity governance and administration (IGA) can help companies meet these requirements.
Complicating Factors
Migration to the cloud and the rise of remote and hybrid work are just two of the massive change organisations are struggling with in terms of technology and structure. These changes have all introduced new challenges to the enterprise in terms of how to maintain control, manage risk and ensure compliance without restraining business efficiency and collaboration.
Addressing a complicated and continually expanding set of global regulations is not possible if businesses lack the needed strategy and security solutions. Clearly, many companies have held back from full GDPR compliance due to their inability to comprehend what it requires to achieve. And as digitalisation accelerates, IT departments are facing greater and greater workloads – which makes it even harder to support compliance and stay on top of security requirements.
Benefits of Identity Governance
Key to an organisation’s security posture is the use of modern identity governance, comprising the right capabilities of data classification, risk awareness and compliance. But it also plays an important role in complying with regulations like GDPR. Governing identities and access is of paramount importance in terms of being compliant with legislative and regulatory requirements. GDPR requires organisations to have processes in place to manage, monitor and document identities access complies to need-to-know/need-to-have principles.
With these principles in mind, IGA solutions must also provide automated implementation of business workflows and processes that enable efficiency, such as automated provisioning, self-service access requests and approvals, and at the same time be adaptable enough to embrace organisational uniqueness.
When it comes to identities and access management, implementing an IGA solution makes it possible to ensure continuous compliance with GDPR. It solves essential GDPR challenges related to access control and transparency, and it helps organisations improve security and compliance, as well as manage users’ access rights purposefully and efficiently.
The ability to ensure and document that risk-driven best practice processes are followed is vital in audit scenarios, as auditors need to be assured that an organisation has control over who has access to what, and for what reason. With the right solution, organisations can control users’ access to IT systems and determine and document when – but even more importantly, why – access was granted.
Companies that use identity governance are establishing a solid foundation, which is making it a strategic tool. An automated, integrated identity management and access governance solution improves security, reduces costs, provides essential functionality for managing identity lifecycle processes, and supports compliance efforts, especially in the case of GDPR.
A Compliance Asset
GDPR opened the floodgate for similar regulations in other regions of the world. Already-burdened IT teams are struggling with the demands borne of digital transformation and remote work; compliance often falls by the wayside as a result. But GDPR and laws like it aren’t optional for those to whom they apply, and fines can be business-killing in size.
One support asset for IT security and regulatory compliance is a cloud-based, next-generation IGA solution. This gives organisations the ability to offer automated access to an increasing number of technology assets. At the same time, it takes the burden off the IT staff and manages potential security and compliance risks. IGA makes digital identities for all users, applications and data possible, and it secures them. It can be a real compliance asset for organisations dealing with today’s many regulations.
By Theis Nilsson, vice president of customer success and innovation, Omada.
