Entrust Datacard’s mission is ensuring the trustworthiness of identity, both online and in-person. And trusted identity plays an essential role in securing personally identifiable information (PII), so that it can be used to improve the users’ experience of a business process without infringing their right to privacy. A significant event will take place next year when a new data protection regime comes into force in Europe, replacing its 20-year-old predecessor. The new regime is called the General Data Protection Regulation (GDPR). Much has changed on the eCommerce front in the intervening years, both in terms of available services and the threat landscape. So, this update is timely.

The maximum fines defined by GDPR, which can be as high as €20M or 4 percent of global annual turnover, and the stringent breach notification requirements, are bound to attract attention in the enterprise C-suite, and influence information-security investment decisions.

The breadth of the regulation is significant, both in its applicability to any global company that processes the personal data of data subjects in the Union, and the broad definition of the types of data covered (including such identifiers as IP addresses, device identifiers, and pseudonymised identifiers).

Companies around the world will (or should) now be embarking on a program of work to analyze what personal data they collect, process, and store, why they need it, how long they need to keep it, and what they use  it for, while assessing and prioritizing any changes they need to make, and initiating implementation projects.

Of course, there is no single combination of technologies that can ensure compliance. The appropriate solution will likely be different for each organization, based on the current state of its identity and access management maturity and their data inventory. However, a strong digital identity is fundamental to protecting access to all types of sensitive information. While best practices (as identified by a range of sector-specific regulations) vary between use-cases and vertical markets, the use of strong authentication (commonly referred to as multi-factor or two-factor authentication) is a common safeguard. Strong authentication is analogous to putting a lock on the door and having appropriate control to ensure the keys are well-secured, thereby protecting access to PII.

Multi-factor authentication is widely deployed across regulated industries for employee access to sensitive systems and information resources. And, more recently, consumer and customer deployments of multi-factor authentication are becoming commonplace in the banking, healthcare, and government sectors.

GDPR requires holders of PII to allow data subjects access to their personal records, and to make corrections in the event of an error. This will likely drive a requirement for more flexible authentication solutions; ones that can deliver lower user-friction and lower operating cost. Organizations will likely face the need to simultaneously support a variety of authentication methods, each tailored to meet the unique needs of a user category.

Moving towards a more dynamic, proven, authentication platform, with the capability to secure access to applications and data on-premise as well as in the cloud, will bring benefits beyond helping to achieve GDPR compliance. Digital transformation itself will require strong identity at its core.

We recommend taking this opportunity to challenge your existing authentication vendor to ensure that they are the right partner to help you through this digital revolution, and to ensure that you are well prepared for the increasing demands of security and privacy regulations.

If you would like to learn more about digital identities and how they help to establish a trust foundation for your digital business, please visit www.entrustdatacard.com/digitalbusiness.

Additionally, you can read more about GDPR in our recently released White Paper, Trusted Identities — A Tool in Your European General Data Protection Regulation Compliance Toolbox

The information contained in this publication should not be construed as legal advice. Should further analysis or explanation of the subject matter be required, please contact an attorney.

Ian Wills