IAM is a cornerstone in GDPR implementations, but both GDPR and IAM implementations are far from easy. Together, they are even more complex. In order to reap the benefits, you need to overlay two projects: building your IAM and creating your compliance program. These projects are very different in nature and owned by essentially very different people – legal and security, and may already in the beginning lack a common language.
In a successful cross-professional GDPR+IAM project, you need to understand how law and technology interplay in your organisation. In general, GDPR compliance has a nexus of touchpoints with IAM, but it needs to be supported by appropriate processes and documentation to be considered as a GDPR compliance measure by lawyers. Statutory security is not an easy read in the GDPR. Many of the documentation and process requirements contain essentially the same information as conventional access management, log and information security policies, but now with more content from GDPR, and aligned from a data privacy perspective.
Data protection requirements are more prominently present in CIAM implementations in the consumer market, because in addition to identity and access, they serve the core of the GDPR – i.e. efficiently manage personal data in a manner that overlaps data subject rights. In essence, CIAM implementation and architecture may provide companies great advantages in satisfying novel functional requirements of the GDPR, such as data portability.
Key Takeaways:
