General Data Protection Regulation
Superseding the Data Protection Directive 95/46/EC, the EU General Data Protection Regulation (GDPR) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area.
It aims to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. All businesses have been subject to GDPR requirements since 2018. Violators of the GDPR may be fined up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater so ensuring compliance must be a priority.
Privileged Access Management can be a significant tool in ensuring GDPR compliance.
How PAM Helps with GDPR Compliance
The GDPR sets out 6 key principles. Here is how Osirium PAM assists with each.
Article 5(1) requires that personal data shall be …
Lawfulness, fairness and transparency
"a) processed lawfully, fairly and in a transparent manner in relation to individuals;”
The first principle of GDPR – lawfulness, fairness and transparency – is truly the essence of GDPR. The way in which PAM helps companies respond to the other 5 GDPR principles provides the evidence for how we help demonstrate lawfulness, fairness and transparency.
“b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;”
Deciding on the purposes of data collection is for the organisation to decide. Companies must set a framework in which the data will be accessed, processed and eventually deleted. This is the organisation’s GDPR policy. Osirium PAM effectively works as a ‘policy enforcement’ product. Whilst many other products focus on protection, Osirium PAM goes beyond this, implementing policy whilst keeping human elements away from the most vulnerable methods of data access.
“c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;”
Principle 3 is a qualifier to the policy in principle 2. The ‘limited’ part of this principle is perfectly enforced by Osirium Automation. It is not always necessary for an individual to have full access to a database. For example, their work may require that they deal with the customer who is currently on the phone. Using Automation (which is part of Osirium PAM and available standalone), a task can be created whereby data is retrieved that is adequate, relevant and limited to the task at hand. This approach prevents either the individual or anyone else who has stolen that individuals’ credentials, from stealing the whole database.
“d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;”
This is the part of the policy that relates to timeliness and accuracy. Osirium PAM can help where customer service provisioning is complex with many parameters. We’ve used task automation to limit access only to the minimum number of data and commands required to complete a piece of work, so that it restricts access only to sanitised commands, preventing human errors.
"e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;”
This relates to the underlying systems rather than what Osirium can do.
Integrity and confidentiality
“f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
At its core Osirium does two things:
1) ‘Identity In – Role Out’ -this approach speaks right to the essence of the sixth principle. Your organisation will be able to identify who has access to what even when ‘shared accounts’ are used. Identity gives a much better level of protection than giving humans access to privileged account credentials.
2) ‘Delegate the Task, not the Privilege’ - This is achieved through our Privileged Task Management module and is the strongest form of data security. Users no longer have direct access to systems, devices or applications. They cannot make bulk data copies or change underlying access rights.