Over 137 countries have implemented data protection or information privacy laws to prevent the misuse of their citizens' personal data. Some of the notable examples of data protection regulation laws include the General Data Protection Regulation (GDPR) , a framework on data protection and privacy that sets guidelines on the procurement and use of personal data by organizations operating in the European Union. Other examples include the California Consumer Privacy Act of 2018 (CCPA) and its amendment, the California Privacy Rights Act of 2020 (CPRA), which will be in force starting on January 1, 2023. Compliance with all of these regulations extends to any organization conducting business in these geographies whether foreign or domestic.
The relevance of implementing data regulation policies in authentication has increased with the emergence of identity and access management. IAM utilizes credentials that are also based on sensitive information related to the user and device characteristics such as facial identity, fingerprints, geographical location and device-related specifications. Organizations are steadily gravitating towards IAM, as a survey by Fortune Business Insights predict that "IAM market is projected to grow from USD 13.41 billion in 2021 to USD 34.52 billion in 2028 at a CAGR of 14.5%."
With privacy regulations set in motion, IAM solutions will be directed to implement ethical cybersecurity practices for processing the personally identifiable information given by users. Some of the core principles that benefit both user and the service include:
An important aspect of privacy regulations is the emphasis on cybersecurity solutions to accommodate data protection measures by default. Article 25 of the GDPR requires security processes to include technical organizational measures such as anonymization and data minimization as a fundamental part of its core functionality. Apart from protecting the rights of subjects, data protection by design can also benefit organizations. Using data minimization, which refers to the collection of an optimal amount of data from the user by a cybersecurity solution, organizations can run an efficient and simplified authentication process without having to deal with overwhelming amounts of data. Handling minimal data also makes businesses less prone to debilitating cyberattacks.
Another strategy to guarantee data minimization is the periodic deletion of data. Article 17(1)(a) directs processors to delete data if it becomes unnecessary for the purpose it was initially collected for. By promptly deprovisioning invalid user accounts, organizations can curb the expansion of threat surface as attackers often use dormant user profiles as entry points to infiltrate networks.
Some of the most important provisions that uphold both data minimization and user consent is the "right to delete" and the "right to know" provisions secured by the CCPA, which empowers users to recall and delete the information collected from them by organizations.
The privacy laws have established well-defined roles for data protection officer (DPO), who acts as an intermediate between the data subject and the officials who are involved in the processing of personal data. According to Article 39 of the GDPR, the responsibilities of a DPO are:
Supervising testing and upgrading systems is the responsibility of DPOs. In addition to ensuring that the organization complies with the regulations, the DPO is also responsible for maintaining accountability by reporting cyberthreats and data breach to the supervising authority of the organization.
Besides that, Article 33 of the GDPR states that in case of a personal data breach, the supervisory authority must be notified by organizations within 72 hours, and if it poses risks to the rights of users involved in it, Article 34 directs organizations to communicate the breach to the latter without delay.
Privacy laws have also played a major role in classifying the types of data that are procured by processors. The AB-375 provision of the CCPA has defined personal information as information that identifies, relates to, or could reasonably be linked with you or your household and further specifies it as follows:
Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
Additionally, the CCPA and the GDPR have also established conditions for the procurement and the processing of personal data pertaining to non-adults. According to Article 8 of the GDPR, the processing of data of a child is deemed lawful only if he or she is at least 16 years old, provided that the data collection is authorized by holder of parental responsibility for the child. Such demarcations are necessary to enforce special protection for children's personal data, as they may not be aware of the implications of such practices.
Data protection laws, while providing the user with more control over their private information, do not render authentication systems powerless. Standardization helps formalize the processes that must be followed by organizations delivering cybersecurity-based solutions: eliminating outdated information, threat assessment, and updating the status of security incidents to stakeholders.To summarize, privacy laws prioritize user experience while simultaneously accommodating technological advancements.
2020 Zoho Corporation Pvt. Ltd. All rights reserved.