Is your Identity Management ready for the General Data Protection Regulation?

“Data is the oil of the 21st century.” – is a common phrase when topics like Big Data or espionage are discussed. And indeed, the business model of many companies is now based on collecting and analysing user data or behaviour. Not only obvious actors like social networks and search engines, whose goal it is to create exact profiles of their individual users, but also large advertising networks are involved. Those networks use the aggregated profiles on top of their own to deliver – as accurately as possible – personalized advertising to the respective users.

It was thus all the more important to harmonize the general framework for data protection with the General Data Protection Regulation (GDPR) across Europe, in order to ensure an adequate level of data protection for all European citizens. The GDPR has been in force since 24 May 2016 and will be enforceable by the relevant supervisory authorities beginning 25 May 2018 (i.e. in about one year). On the basis of the GDPR, and with an eye on the ePrivacy regulation (“Regulation on Privacy and Electronic Communication”), which is to be effective with the GDPR in May 2018, national data protection laws, such as the German “Bundesdatenschutzgesetz”, are revised with respect to the GDPR.

In particular, each data processor must be aware that Article 5 (“Principles relating to processing of personal data”) contains explicit accountability, which forces the data controller to be able to prove compliance with the requirements of the GDPR, if necessary, to the supervisory authorities.

Such proof shall, for example, be provided for the conditions laid down in Article 6 (Lawfulness of processing). The central condition here is that the data subject has explicitly agreed to the processing of his or her data for one or more specific purposes. For companies that work with personal data, this means that at the moment of the very first interaction with a new user or customer, it must be ensured that consent to the processing of the data is requested in a manner that complies with the GDPR. Article 7 (Conditions for consent) specifies stricter requirements for consent than those common in current national data protection laws. As a result, companies will probably have to pay more attention than before to a vigorous documentation of the consent and the possibility to revoke a given consent; if the consent is ineffective, and thus the processing of the data of those affected turns out to be inadmissible, heavy fines might quickly be a consequence.

Article 83 (General conditions for imposing administrative fines) defines the amount of fines to be imposed which can reach painful heights quickly. Even with minor violations, if for example no appropriate security measures according to the technological state of the art are implemented, impending fines of up to EUR 10 million, or (for companies) up to 2% of the worldwide annual turnover are possible. In the case of infringements of the central principles of the regulation (in particular Articles 5, 6, 7 and 9) or of the rights of the data subject (Articles 12 to 22), the amount of the fine can be increased to up to EUR 20 million or in the case of companies to up to 4% of the worldwide annual turnover.

A central right for those affected is laid down in Article 17 (“Right to be forgotten”). After a decision of the European Court of Justice, this right was a divisive point in discussions for some time, especially concerning search engines in particular and the internet as a whole. The GDPR guarantees this right in detail in its own article; whereas in the old EU Data Protection Directive, this law was merely part of an enumeration of several with several other rights. Service providers will now have to pay close attention to the requirements of the GDPR, as otherwise the above-mentioned sensitive fines of up to 4% of the worldwide annual turnover can be enforced.

Another challenge for service providers is the right of data subjects to data portability (Article 20). This article stipulates that service providers and data processors must be able to offer each data subject the opportunity to export the aggregated data in a machine-readable format within a reasonable period of time. This right only includes data that was provided by the data subject or generated by her direct actions. An obvious approach for the export of the affected data from the databases of the provider would be to use XML or JSON as machine readable data format.

Especially in historically grown application environments integrating different applications, databases and identities of a user in the context of Article 17 and 20 of the GDRP is a challenge that should not be addressed without support from appropriate experts in this field.

Article 25 is an important achievement of the new GDPR: the principle “Data protection by design and default”. Establishing this principle as one of the central points of the Regulation ensures on the one hand that the measures implemented to protect personal data are state of the art (defined additionally detailed in Article 32, but also on the other hand that the applied measures are proportionate to the level of assurance required to adequately protect the data. The protection need is solely determined by the risk posed to the data subject by processing relevant personal data. For the data processor, this means that he has to change the perspective when conducting a data protection specific risk analysis (compared the classical information security management (ISMS) approach). Therefore the mere reuse of the risk analysis that has already been done for an ISMS might not be sufficient in the context of the GDPR.

What “Data protection by design and default” means in the area of identity management can be explained by the example of the innovative SkIDentity service: SkIDentity supports the management of digital identities through the introduction of a privacy friendly single sign-on for enterprises and authorities. By leveraging state-of-the-art technologies, users can create Cloud Identities (CloudIDs) from their identity tokens (such as national identity cards) or other identity sources. Through its CloudID, a user always retains full control of her identity data, as the CloudIDs are not stored centrally on a server, but in a decentral manner on a device of the user’s choice. A user can easily transfer a CloudID created on PC to other devices (for example a mobile phone) and thus also use it in a mobile environment. Due to the decentralized storage of the CloudIDs, the deletion and blocking of each CloudID is completely in the hands of the user and the risk of identity theft through successful attacks on a central infrastructure is significantly reduced.

Within SkIDentity, the principles of Privacy by Default and Privacy by Design have not only been taken into consideration, but have also been seen as essential design criteria and core themes of the service. Thus, Article 25, which is undoubtedly among the most important aspects of the new regulation, was already lived and implemented in SkIDentity even before the creation and publication of the GDPR.

This approach has not only been acknowledged with a number of international awards, but is also in particular reflected in the successful certification procedures based on the “Trusted Cloud Data Protection Profile” and ISO 27001 based on IT baseline protection (of the German Federal Office for Information Security, Bundesamt für Sicherheit in der Informationstechnik, BSI), which in turn complies with the requirements of Article 25 and 32, especially in the case of order data processing pursuant to Article 28.

State-of-the-art protection (Article 32) is a widely interpreted concept, in particular taking account of the existing international standards and regulation for example from the BSI. Through deep knowledge of the relevant international standards and the active creation and maintenance of various technical guidelines on behalf of the BSI, ecsec GmbH is your competent partner for questions about the current state of the art and efficient implementation of effective security solutions. For a secure login to Cloud and Web applications, the BSI published the recommendations “Security Recommendations for Cloud Computing Providers” and “Cloud Computing Compliance Controls Catalogue (C5)”, which recommend the use of strong authentication mechanisms with at least two factors.