[Log In] []

Exploring the science and magic of Identity and Access Management
Wednesday, August 23, 2017

Identity – Critical for GDPR?

Identity, Privacy
Author: Mark Dixon
Friday, July 28, 2017
12:44 pm

GDPR2

How critical is Identity and Access Management to GDPR Compliance?

The somewhat radical, but underlying philosophy of GDPR is that enterprises must enable individual data subjects (EU citizens) to control their own Personally Identifiable Information (PII), and grant or withdraw permission to store and use such data. Certainly, appropriate processes and technology are essential to protect the data “by design and default,” but the question remains – how can enterprises keep track of all the data subjects and their PII data?

I propose that Identity is at the heart of the matter.  How can an enterprise:

  1. Know who all data subjects are and what personal data is being maintained?
  2. Know what rights of data use each data subject has granted? 
  3. Know PII data elements are being maintained and processed for each data subject?
  4. Enable data subjects to edit (rectify) any of the data elements being maintained?
  5. Allow each data subject to grant or withdraw consent?
  6. Securely authenticate and authorize data subjects when they desire access to their PII?
  7. Guarantee that only people with legitimate need-to-know can access PII?
  8. Enable data subjects to request erasure?
  9. Audit and certify processes for consent, use and erasure?
  10. Notify data subjects of any breaches?

There are probably more reasons, but this list is a start. In my opinion, Identity at the heart of effective GDPR compliance.

By the way, as of today, there are only 300 days left.

Comments Off on Identity – Critical for GDPR? . Permalink . Trackback URL
WordPress Tags:
 

Oracle White Paper: Helping Address GDPR Compliance

Information Security, Oracle, Privacy
Author: Mark Dixon
Thursday, July 27, 2017
12:00 pm

GDPR

May 25, 2018 is bearing down on us like a proverbial freight train. That is the date when the European Union General Data Protection Regulation (GDPR) becomes binding law on all companies who store or use personal information related to EU citizens. (Check out the count down clock on the GDPR website).

Last week, Oracle published a new white paper, “Helping Address GDPR Compliance Using Oracle Security Solutions.”

Leveraging our experience built over the years and our technological capabilities, Oracle is committed to help customers implement a strategy designed to address GDPR security compliance. This whitepaper explains how Oracle Security solutions can be used to help implement a security framework that addresses GDPR.

GDPR is primarily focused on protecting fundamental privacy rights for individuals. By necessity, protection of personal information requires good data security. As stated in the white paper, 

The protection of the individuals whose personal data is being collected and processed is a fundamental right that necessarily incorporates IT security.

In modern society, IT systems are ubiquitous and GDPR requirements call for good IT security. In particular, to protect and secure personal data it is, among other things, necessary to:

  • Know where the data resides (data inventory)
  • Understand risk exposure (risk awareness)
  • Review and, where necessary, modify existing applications (application modification)
  • Integrate security into IT architecture (architecture integration)

Oracle proposes the following framework to 

… help address GDPR requirements that impact data inventory, risk awareness, application modification, and architecture integration. The following diagram provides a high-level representation of Oracle’s security solutions framework, which includes a wide range of products and cloud services.

OracleGDPR SecuritySolutions july17

 

The paper primarily focuses on the “Enforcement” portion of this model, postposing that:

… four security requirements are a part of many global regulatory requirements and well-known security best practices (i.e. ISO 27000 family of standards, NIST 800-53, PCI-DSS 3.2, OWASP and CIS Controls).

Enforcement

In conclusion, the paper states:

The path towards GDPR compliance includes a coordinated strategy involving different organizational entities including legal, human resources, marketing, security, IT and others. Organizations should therefore have a clear strategy and action plan to address the GDPR requirements with an eye towards the 25 May, 2018 deadline.

Based on our experience and technological capabilities, Oracle is committed to help customers with a strategy designed to achieve GDPR security compliance.

 

May 25, 2018 is less than ten short months away.  We all have a lot of work to do.

 

 

 

Comments Off on Oracle White Paper: Helping Address GDPR Compliance . Permalink . Trackback URL
WordPress Tags: , , ,
 
Copyright © 2005-2016, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.