By George Lattimore Posted August 16, 2018
General Data Protection Regulation (GDPR) is one of the most critical privacy and data security compliance requirements that organizations must adhere to right now. GDPR has garnered a great deal of attention as of late because it only recently went into full effect on May 25th, 2018, although having been initially introduced in 2016. Organizations are subject to GDPR if they have any semblance of business with organizations or individuals in the European Union (EU). For these organizations, many questions are being asked of how best to achieve compliance, and one specific question being asked in particular is how IDaaS (Identity-as-a-Service) supports GDPR Article 32.
What is GDPR Article 32?
It’s important to note that GDPR Article 32 is a section of GDPR that focuses on security controls. While the Article itself is not overly specific, the wide-reaching implications are powerful. Article 32 essentially says that every organization must implement effective security controls appropriate to their business. From the statute: “[processor] shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”
While some organizations will lean on the lack of specificity as justification for doing the bare minimum, savvy IT organizations are realizing that it is far better to be aggressive and proactive with compliance in this case. The EU has put some teeth into the GDPR statute with significant fines and sanctions in place for those that don’t comply. Organizations failing to comply can face a fine of up to 2% of their annual global turnover or €10 million (whichever is higher). Since the regulation is still quite new, it is also fair to say that the EU will soon be testing organizations for their readiness and compliance.
A core part of satisfying GDPR Article 32 is controlling access to confidential information, particularly data on EU citizens and organizations. In other words, an organization’s identity management solution needs to tightly control server and application access, and only permit access to those that have the appropriate, privileged credentials.
Coalfire Audits IDaaS to Support GDPR Article 32
By leveraging a modern IDaaS platform, IT organizations can tightly control user access and support compliance for GDPR Article 32. Coalfire, a leading auditor, recently conducted a thorough and rigorous review of JumpCloud® Directory-as-a-Service® and its applicability to GDPR. For more information on why Coalfire believes that a modern IDaaS platform can be helpful in supporting GDPR, download the report here.
Modern IDaaS solutions, such as Directory-as-a-Service, can effectively satisfy the GDPR requirement and much more (see Coalfire reports on HIPAA and PCI). Directory-as-a-Service centralizes identity control to systems (Windows®, Mac®, Linux®), cloud and on-prem servers (e.g. internal data centers, AWS®, Google Cloud Platform™, Azure®, etc.), web and legacy applications via LDAP and SAML, physical and virtual file servers such as NAS appliances, Samba file servers, Box™, and others, as well as wired and WiFi networks through RADIUS.
If you’re interested in hearing more about how IDaaS supports GDPR Article 32, or how JumpCloud can benefit your organization with far more than just compliance support, send us a note or give us a call. We’ll be happy to answer any questions you might have. Want to see the platform in action for yourself? You can schedule a demo or sign up for free today.Your first 10 users are on the house, always.