GDPR access control and authentication
You will have deduced from previous blogs in our GDPR series that the regulation doesn’t always stipulate specific security measures for protecting personally identifiable data. Often it is down to the data controller to implement measures appropriate to the risk and sensitivity of the data.
While there are no specific guidelines for your authentication and access control policies – as experts in secure data transfer – we recommend a stringent approach based on the following three articles…
Article 25: Data Protection by design and default
This article seems a bit of a catchall for anything security-related, but it is also the bedrock to GDPR implementation. Alongside the expected security points, there is a specific sentence that applies to access control:
“In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”
This bit is pretty explicit. It says only the ‘natural persons’ who need access to process the data get access. From a security point of view that means access to any data should always be restricted on a ‘need to access’ basis, regardless of whether it is an administrator or general user.
The word ‘indefinite’ needs to be considered too. There are several dictionary meanings of the word: ‘unlimited’ or ‘not determined’, for example. In this context though, I believe that a better definition is ‘vague or unclear’. From this, we can infer that an Access Control List (ACL) for any personal dataset should be kept to the minimum and make it clear why each access has been granted. From a GDPR perspective, this should fall under the Impact Assessment that defines the whole process.
One could also argue that the necessary safeguards are put in place to protect the data as mentioned in article 25. For authentication purposes, this might include multi-factor authentication. In fact, the GDPR has no specific requirement for MFA, although it is safe to assume this would fall under ‘Data protection by design and by default’.
Article 32: Security of processing
This article reminds us that the risk of disclosure or destruction of data is offset by the level of security that has been applied. The requirement here is to assess risks from the processing; it is referred to both in article 30 and 39.
Article 30: Records of processing activities
This article centres on reporting on the security measures you have in place. It states that you need to provide “a general description of the technical and organisational security measures referred to in Article 32(1)”
This means that you should have a record of what access has been granted to people and perhaps more importantly, why. Recital 82 of the regulation also states that records of security changes are kept and can be made available on request.
Managed File Transfer (MFT) solutions have several features that will address any authentication and access control concerns ahead of the GDPR.
Organisations should be able to create unique user identities within a file transfer system, and monitor user activities. The system either needs to provide a robust mechanism for setting password strengths and expiration policies, or use existing security systems to manage these (these are generally more advanced). Some systems offer Multi Factor Authentication (MFA), where users have to confirm their identity by another means (eg: Entering a unique code sent by email or text).
Additionally, the system should restrict users to only access the data they require, whilst not being so restrictive that they cannot work. Organisations also need to think about how third parties authenticate their identity. For example, a recipient at another organisation should authenticate their identify when receiving files through an EFSS system.
You may also want to consider encrypting data at rest, which will add an additional level of security. You can find out more in our earlier blog post, Encryption at rest for GDPR.
If you would like to find out more about how GDPR will impact your data transfer and file sharing systems and processes, download our White Paper.