How physical identity & access management can reduce GDPR compliance complexity
Andrew Bull from HID Global explores the implications of GDPR on physical access control systems and how advanced physical identity and access management (PIAM) solutions can help.
GDPR now harmonises data privacy
Beginning 25 May, companies doing business in the European Union are required to comply with the new General Data Protection Regulation (GDPR) standards. This initiative will standardise and harmonise the fragmented data privacy across the European Economic Area to ensure that individuals’ rights are protected in today’s digital world.
GDPR’s primary purpose is to ensure that all organisations operating in Europe obtain consent from individuals to capture and store identity information and remove that information from servers if it is no longer needed. The regulation also sets higher standards for consent, which must be freely given based on clear, easily available information about what an individual is agreeing to. Organisations must also make it as easy for someone to withdraw consent, as it is to provide it.
Implications for physical access control systems
For security teams, this means they must ensure that consent is recorded for all individuals whose information they are storing and managing across all physical access control systems (PACS) and that any personal information is centrally tracked and controlled on all servers for all EU citizens, no matter where in the world that server resides. All information must be auditable and individuals’ personal information must be removed from the relevant PACS servers if they no longer require access or if their authorisation and/or privileges are no longer valid. This means that an EU citizen added to a PACS must be tracked and removed once that entry is no longer relevant, or upon the citizen’s request.
The good news is that organisations will now have a single regulation rather than multiple standards in different regions to comply with, which should significantly decrease compliance costs while improving public perception of data privacy and individual rights.
The bad news is that for many organisations, compliance with GDPR will be challenging, and the complicated and inefficient manual administrative processes often employed to transform policies into practice do nothing to ease the burden. In fact, they are actually more likely to hinder these efforts, which rely heavily on gathering information from a variety of stakeholders – a far less than ideal combination.
Bridging the gap with physical identity and access management (PIAM)
However, there is help available for security departments. Advanced physical identity and access management (PIAM) solutions bridge the gap between policy and process by employing policy-based automation, deep systems integration and strong auditing capabilities to help organisations comply with the main requirements of GDPR more effectively and efficiently, enabling them to do business without fear of incurring fines or other penalties.
Automation to streamline processes
As previously mentioned, the process of implementing GDPR requirements across PACS often relies on the human element in the form of incredibly time-consuming and error-prone manual processes. PIAM solutions remove these impediments by applying policy- and rules-based automation to streamline all processes, from identity enrollment through to the auditing necessary to demonstrate compliance.
PIAM tracks all of the places information has been propagated, making audit and deletion a straightforward process.
Pseudonymisation to protect personal data
One of the benefits of PIAM embraced by GDPR (recital 28) is the ability to use pseudonyms to easily obscure individuals’ personal data, which can go a long way toward easing compliance. With PIAM solutions, organisations can replace first and last names with a unique ID within identity records. Rather than transmit personal data to PACS systems, this anonymous information is then sent from the PIAM solution rather than individual names and other details. This tactic is not only mentioned in the GDPR regulations but is encouraged – and it is something that would be difficult, if not impossible, to do using the PACS alone.
Why is this important? Because organisations are required to report any breach of personal data to individuals within 72 hours of the incident or face fines. However, this requirement only applies to personal information and is waived if the breached data has been anonymised. Therefore, employing pseudonymisation can substantially limit not only risk, but also liability.
Given its power to aid in meeting the requirements of GDPR, the importance of automation cannot be understated, as it serves as the foundation upon which the vast majority of PIAM’s other capabilities are built.
Self-Service enrollment in a physical access control system
In addition to improving security, properly enrolling employees, contractors, visitors and others in a PACS also plays a key role in GDPR compliance. However, there are often delays throughout the process between the initial request and final approval of access privileges – delays that cost productivity and money, while also compromising security. PIAM solutions allow an organisation to create a self-service enrollment process that streamlines the onboarding process.
The self-service function can also be used to meet the consent and purpose mandates of GDPR. During the enrollment process, employees, contractors, visitors and other third parties can be given access to their own profiles where they can view what personal information is being collected for what reason and how that information will be used, and then record each individual’s consent. Capturing this important data at the time of registration or request for access privileges eliminates multiple potentially costly and time-consuming tasks from the GDPR compliance process.
Additionally, a self-service portal can also be used to permit individuals to review data collection and usage policies, and give them a portal to revoke consent to have their information stored and used for access control and other purposes, at which time the system will automatically erase any and all data related to an individual – addressing another important GDPR requirement.
Systems Integration with other security systems
One of the biggest strengths of PIAM solutions is the ability to tie multiple disparate systems together easily to allow information to be aggregated. This encompasses access control, visitor management and other security systems as well as non-security systems like human resources, time and attendance and others. The PIAM solution can serve as the hub for all of these systems, giving organisations a single source for management.
From a security standpoint, the ability to aggregate, sort and analyse data from these disparate systems can prove beneficial in identifying potential behavioural and other patterns that may indicate a potential threat.
There are also numerous operational benefits, including efficiency and cost savings. If manually entering data into a single system is time-consuming and error-prone, imagine the potential headaches of having to do it for multiple systems. By eliminating this need, PIAM enables greater efficiency and decreases or eliminates the potential for human error. Because the same challenges also apply to tracking and removing data, this capability makes it easier for an organisation to ensure GDPR compliance.
Today, an individual’s data is typically stored across multiple systems within the security and/or operational ecosystem. This can become problematic when it is necessary to delete an individual’s information, since simply removing it from a single system does not meet the standard established under GDPR. With PIAM, an organisation can simply remove the data in question from a single solution and know that it will automatically be removed from all integrated systems simultaneously, satisfying requirements for compliance.
Auditing is easier
As with any regulation, demonstrating compliance with GDPR is vital and must be done regularly to avoid penalties. This can be a daunting task that requires demanding and thorough auditing and reporting. Unfortunately, these critical tasks are often performed using costly, time-consuming and error-prone manual processes. However, non-compliance is not an option, as the potential cost and penalties are even more daunting.
PIAM reduces this strain on an organisation’s resources by employing automation that enables efficient auditing of systems and locations, along with the robust reporting capabilities needed to demonstrate compliance. For example, when user consent is recorded or when individual data is automatically deleted from PACS and all other integrated systems when requested in accordance with GDPR, that action is stored within the system. Rather than rely on people to collect and report this information, PIAM allows organisations to generate compliance reports with the click of a button – significantly reducing regulatory reporting costs. This function can also be programmed to be performed at regular intervals to ensure timely reporting and compliance.
In our connected world, privacy has taken on increased significance for everyone, and as a result, governments are enacting regulations and policies to protect individuals’ most valuable commodity – their identity. As GDPR takes effect, organisations wishing to do business in Europe must be actively working to put the policies and practices in place to ensure compliance with this new regulation. This will no doubt be challenging, but advanced PIAM solutions replace the manual processes often used to perform the tasks required under GDPR with automation, strong integration and thorough auditing capabilities.
Organisations can deploy PIAM to effectively and efficiently ensure compliance with the main requirements of GDPR and avoid staggering and potentially catastrophic penalties.
Regional Sales Director – UK, HID Global, IAM Solutions