Misuse and careless handling of personal data by some online companies have come to the attention of lawmakers, and the European parliament has responded with updated legislation. The EU directive that currently governs the processing of personal data dates from 1995; a time when the very suitability of the Internet as a platform for business was in question. While that uncertainty has been decisively resolved, questions remain about just how to obtain the benefits of the Internet while balancing, on the one hand, the use of personal data to enrich the online experience, and, on the other hand, setting appropriate boundaries on the use and handling of that data. The General Data Protection Regulation (GDPR), which comes into effect in May 2018, will become the yardstick by which privacy advocates around the world, such as Privacy International, will evaluate business models that rely on the use of personal data.

The renewed focus on privacy prompted by the GDPR provides an opportunity for businesses to rethink how they interact with their users (whether employees, contractors, partners, or customers), pushing the needs of the user to the forefront. While the shifting technology landscape enables new business models that demand rich content, anytime, anywhere, and on any device, it makes securing access ever more challenging. Business leaders are conscious that getting this wrong can quickly place them at a disadvantage; but get it right, and benefits will flow in the form of increased user loyalty.

User authentication plays a key role in addressing many important data protection principles, as it is essential to meeting security, access, consent, and accountability requirements. Authentication technologies are undergoing rapid change at the moment, as developments in personal devices, biometrics, and artificial intelligence pave the way for new authentication models. And, as the current legislation has been in place for over twenty years, we can expect authentication solutions to change significantly during the lifetime of the new legislation. Over time, technological improvements will lead to more cost-effective solutions, and best practice in the area will adapt. As the capabilities and costs of different authentication technologies evolve, the GDPR recognizes that the most suitable choice of technology will also evolve. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, operators will be required to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk [0].

Cultural and generational considerations also affect the choice of suitable authentication technologies, as endpoint and infrastructure capabilities vary from place to place and between user communities. In addition, when used to authenticate employee access to corporate information assets and business functions, we find that the employee population is not uniform; the consequences of an authentication failure in the Human Resources or Finance departments, for instance, can be much higher than it is in the general user population.

Neither is the regulation limited to just access by users; authentication system administrators differ from the general user population in that the role they occupy may afford them authorized access to the records of large numbers of users. So, carelessness or malfeasance on their part could place the corporation at greatly increased risk from the much more severe damage that can result. The GDPR advises that steps be taken to ensure that administrators act solely on instructions from the processor [1]. For this reason, the proper balance between user acceptance and strength of mechanism as applied to system administrators will usually favor security.

While there is no single answer to the question of which type of authentication is best, the choice is, perhaps, one of the most public ways for an organization to communicate its commitment to sound stewardship of its users’ personal data, helping to build the trust between user and operator that is critical to the success of any online business.

For all these reasons, the most cost-effective long-term solution to user authentication includes a flexible platform that supports a broad range of authentication technologies today, and has the ability to accommodate new and improved ones in the future.

Develop your GDPR compliance toolbox: Get the White Paper

[0] Article 32

[1] Article 32. 4