paint-brush
Conquer GDPR Article 32: Locking Down Data Segregation and Identity-Based Accessby@sabikat
344 reads
344 reads

Conquer GDPR Article 32: Locking Down Data Segregation and Identity-Based Access

by Sabika TasneemMarch 29th, 2021
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Understand the importance and tools of implementation for data segregation through access control GDPR compliance to address Article 32.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Conquer GDPR Article 32: Locking Down Data Segregation and Identity-Based Access
Sabika Tasneem HackerNoon profile picture

€158.5 million… That’s the total penalty imposed on organizations that violated General Data Protection Regulation (GDPR) requirements in just 2020. Shocking, isn’t it? GDPR came into effect in Spring 2018, but many organizations still haven’t taken appropriate measures to meet these requirements. So, you are definitely not alone in this struggle! Now, you might be wondering how solutions with data segregation capabilities can help you meet GDPR requirements?

Why was GDPR introduced?

Before diving into what exactly data segregation is, let’s first understand the aim of GDPR. Rather than looking at GDPR as a looming giant, we should reel back in a little and try to look at it from the perspective of the general public, which every one of us is a part of. GDPR was imposed with the intent of establishing a “privacy-first” culture in the EU and EEA areas. Hence, organizations will be held accountable for how they collect, store and process data containing personally identifiable information (PII). This regulation has encouraged other regulatory bodies worldwide to bring effective laws for personal data protection; for instance, CCPA came soon after GDPR in June 2018 to enhance privacy laws for California residents.

Fulfill GDPR Requirements by Managing Access through Data Segregation Capabilities:

Moving on to the topic at hand, organizations can opt for processing systems with access management features working alongside data segregation features to ensure that only authorized personnel gain access to the data being processed.

Wondering why access control through data segregation is important for GDPR compliance? Minimizing data exposure and ensuring that the data is only accessed by authorized personnel is a core part of maintaining personal information privacy. This is especially detailed in GDPR’s Article 32, which sheds light on the aim behind the need for access controls and data segregation.

GDPR Article 32 – Security of Processing:

Article 32 specifically enforces organizations to have resilient processing systems with security measures to prevent security breaches and unauthorized access to the data. Its clause 1(b) states:

“The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.”

Clause 2 further exemplifies the importance of data segregation and access controls:

“In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”

What is Data Segregation?

To fulfill the requirements of GDPR’s Article 32, your organization must first evaluate all the various types of data it handles. Some examples could include:

  1. Data collected through website cookies
  2. Credit card information
  3. Recorded online meetings
  4. Video surveillance footage

Your organization should evaluate the sensitivity of each type of personal data and the risks associated with these. Based on this evaluation, data can be stored in a segregated form as advised by GDPR. This can be done in two main ways:

  1. Segregation based on user groups can be created within your processing system. This could be groups created based on the organization’s departments or teams created for special projects. Data related to each group can be restricted to that specific group.
  2. The second way of implementing data segregation is to create separate data categories in your processing system, for instance, “training category” or “finance category”. It might also be possible to create multiple autonomous portals for data segregation. This can be created in case your organization has to handle highly sensitive data like surveillance footage. Access to only relevant user groups, user roles, or specific users can be given based on the different requirements.

Utilizing Access Controls with Data Segregation

Organizations must have data processing systems with appropriate access controls to fulfill GDPR requirements. As stated earlier, access can be assigned to user groups directly for each category or directly sharing relevant data with relevant groups.

Another method of swiftly managing access is by dividing all users in your system into different roles based on their job seniority or trust level. These user roles can then be utilized for maintaining role-based access controls for the data stored in your processing system, which is not restricted to a certain group, category, or portal.

Identity Management Is the Last Piece of This Puzzle

Managing access in combination with data segregation will be in vain if your processing system doesn’t have strong authentication management. This is to ensure that only authenticated users get access to your organizational data. This can be done through single sign-on integration with different types of identity providers based on your needs.

Finally, let’s explore some important tools to help you implement these solutions with ease based on your specific data needs.

Content Management System (CMS)

Organizations typically use simple CMS to create, edit, and store digital content while maintaining security.

SharePoint

SharePoint is a web-based collaborative platform for enterprise content management while meeting your security needs. Content on SharePoint can be easily segregated into different folders and within different teams. Users can also be assigned various roles as well. Users can then be added to relevant teams and permissions can be assigned to each user role. SharePoint also supports multiple authentication methods and providers for Windows authentication, forms-based authentication, and SAML token-based authentication.

Laserfiche

Laserfiche is another enterprise CMS that excels in workflow automation to capture, secure, and organize content swiftly. It has access management capabilities with guidelines to mark the sensitivity of each data type. User roles can be defined with different pre-set responsibilities and permissions. Content folders, as well as user teams, can be created for seamless data segregation. Users can be registered through 3 types of identity providers for single sign-on: Active Directory, Active Directory LDAP, and SAML.

Enterprise Video Content Management (EVCM) System

EVCM systems are one step ahead of simple CMS. These tools are designed for handling larger data. They are specifically made to handle videos with powerful features like video library creation, limited sharing and social sharing options, AI capabilities to improve searchability and analytics, detailed branding, and content organization features.

VIDIZMO

From recorded virtual meetings to company-wide townhalls to marketing videos and HR training, video has taken over the business world, with its storage and distribution requiring compliance with GDPR. This is where VIDIZMO comes in. VIDIZMO’s enterprise content management system is a central solution for publishing, analyzing, searching, and sharing all your videos and other digital media content in a secure platform with comprehensive role-based access management options that work alongside data segregation to help you meet all your GDPR requirements.

Role-based access controls are available with both pre-defined and custom role creation available. For content segregation, categories and completely autonomous content portals can be created to segregate sensitive content. VIDIZMO also has single sign-on integration with various identity providers, including directory services like Azure AD, identity access management services like OneLogin, and third-party services like Google and Facebook. Integrating with your company’s pre-existing ID directory will also give you a group synchronization option to import your current team groups rather than creating them from scratch.

Customer Relationship Management (CRM) Tool

With the prevalence of online sales and digital marketing, CRM tools are critical for storing, categorizing, and reaching out to contacts and managing online campaigns like email. These tools are perfect for handling analytics and other types of numerical data securely.

HubSpot

HubSpot is one of the most well-known CRM tools. It supports inbound marketing, sales, and customer service for lead generation and customer retention. For different organizational units and reporting purposes, organizations on HubSpot can create user teams. User roles can also be created with different permission sets. Assets on HubSpot can be segregated into these teams with access given to users with appropriate permission levels. HubSpot also integrates with single sign-on providers that use SAML 2.0.