How Physical Identity & Access Management Helps Physical Security with GDPR Compliance

You may have heard a lot of recent news about the European Union’s new General Data Protection Regulation (GDPR) which goes into effect on May 25, 2018. GDPR replaces the Safe Harbor Act, standardizes, and extends existing EU data protection laws to all foreign companies processing data from EU residents.

The primary purpose of GDPR it to ensure that all organizations operating in Europe will be required to obtain consent from individuals to capture and store identity information in servers and remove that information from servers if it is no longer needed. The regulation also sets higher standards for consent, which must be freely given based on clear, easily available information about what an individual is agreeing to. Organizations must also make it as easy for someone to withdraw consent as it is to provide it.

The stiff penalty for any violation of this regulation – up to 4 percent of annual global revenue of a parent or holding company – makes it essential that organizations ensure they are in full compliance. However, adherence may require exhaustive and time-consuming manual and administrative efforts that rely on information from a variety of stakeholders, which introduces the potential for errors that can jeopardize compliance.

 

What does GDPR Mean for Physical Security?

For security teams, GDPR means they must ensure that consent is recorded for all individuals whose information they are storing and managing across all physical access control systems (PACS) and that any personal information is centrally tracked and controlled for all servers – for all EU citizens covered by the GDPR regulations no matter where in the world that server resides. All information must be auditable and individuals’ personal information must be removed from the relevant PACS servers if they no longer require access or if their authorization and/or privileges are no longer valid. This means that an EU citizen added to a US-based PACS must be tracked and removed once that entry is no longer relevant, or upon the citizen’s request.

Without question, compliance with GDPR will be challenging, and the complicated and inefficient manual processes organizations often employ to transform policies into practice do nothing to ease the burden.

 

How Can PIAM Solutions Help with GDPR Compliance?

The good news is that advanced PIAM solutions bridge the gap between policy and process by employing policy-based automation, deep systems integration and strong auditing capabilities to help organizations comply with the main requirements of GDPR more effectively and efficiently, enabling them to do business in Europe or with EU citizens without fear of incurring fines or other penalties.

PIAM helps with GDPR compliance in five key areas:

1.Automation
The process of implementing GDPR requirements across PACS often relies on the human element in the form of incredibly time-consuming and error-prone manual processes. PIAM solutions remove these obstacles by applying policy- and rules-based automation to streamline all processes, from identity enrollment through the auditing necessary to demonstrate compliance. Furthermore, PIAM tracks all of the places information has been propagated making audit and deletion a straightforward process.

2.Pseudonymization 
One of the benefits of PIAM embraced by GDPR is the ability to use pseudonyms to easily obscure individuals’ personal data, which can go a long way toward easing compliance. With PIAM solutions, organizations can replace first and last names with a unique ID within identity records. Rather than transfer personal data to PACS systems, this anonymous information is sent from the PIAM solution rather than individual names and other details. This tactic is encouraged in the GDPR regulations (in recital 28) and it is something that would be difficult, if not impossible to do using PACS alone.

An additional benefit of using pseudonymization is under GDPR organizations are required to report any breach of personal data to individuals within 72 hours of the incident or face fines. However, this requirement only applies to personal information and is waived if the breached data has been anonymized. Therefore, employing pseudonymization can substantially limit both risk and liability.

3.Self-Service Enrollment
In addition to improving security, properly enrolling employees, contractors, visitors and others in a PACS also plays a key role in GDPR compliance. PIAM solutions allow organizations to create a self-service enrollment process that not only streamlines the onboarding process but also can be used to meet the consent and purpose mandates of GDPR. During the enrollment process, employees, contractors, visitors and other third parties can be given access to their own profiles where they can view what personal information is being collected for what reason and how that information will be used, and then record each individual’s consent. Capturing this important data at the time of registration or request for access eliminates potentially costly and time-consuming tasks from the GDPR compliance process.

Additionally, a self-service portal can be used to allow individuals to review data collection and usage policies, and give them a method to revoke consent to have their information stored and used for access control and other purposes, at which time the system would automatically erase all data related to an individual – addressing another important GDPR requirement.

4.Systems Integration
One of the biggest strengths of PIAM solutions is the ability to tie multiple disparate systems together easily to allow information to be aggregated. This encompasses access control, visitor management and other security systems as well as non-security systems like human resources, time and attendance and others. The PIAM solution can serve as central hub for all of these systems, giving organizations a single source for management.

For GDPR compliance, if an individual requests their information to be removed an organization can simply remove the data from a single solution and know that it will automatically be removed from all integrated systems simultaneously, satisfying compliance requirements.

5.Audits
As with any regulation, demonstrating compliance with GDPR is vital and must be done regularly to avoid penalties. This can be a daunting task that requires thorough auditing and reporting. Unfortunately, these critical tasks are often performed using costly, time-consuming and error-prone manual processes. However, non-compliance is not an option, as the potential cost and penalties are even more daunting.

PIAM reduces this strain on an organization’s resources by employing automation that enables efficient auditing of systems and locations, along with the robust reporting capabilities needed to demonstrate compliance. For example, when user consent is recorded or when individual data is automatically deleted from PACS and all other integrated systems when requested in accordance with GDPR, that action is stored within the system. Rather than rely on people to collect and report this information, PIAM allows organizations to generate compliance reports with the click of a button – significantly reducing regulatory reporting costs. This function can also be programmed to be performed at regular intervals to ensure timely reporting and compliance.

Advanced PIAM solutions are the key to physical security teams meeting the daunting task of implementing processes to ensure their organizations meet GDPR requirements. With automation of the manual processes needed to perform the tasks required under GDPR, strong integration of security and other business systems and thorough auditing capabilities, organizations can deploy PIAM solutions to effectively and efficiently ensure GDPR compliance and avoid hefty and potentially business-ending penalties associated with non-compliance.