GDPR Checklist for a IDaaS Solution — Part 1
Introduction
Recently I have been researching GDPR and how it matters to IDaaS applications. IDaaS, is an SAAS model that allows users to connect to and use identity management services from the cloud. Using IDaaS for applications has created a win-win situation for businesses and end customers.
In modern IDaaS solutions there are so many features that are focused on making the life easy for the end customer. On the other hand businesses do not need to worry about security and infrastructure of their Identity data. They can simply hand that burden over to a IDaaS solution
What is GDPR compliance
The General Data Protection Regulation (“GDPR”) is a legal framework that requires businesses to protect the personal data and privacy of European Union (EU) citizens for transactions that occur within EU member states. It covers all companies that deal with the data of EU citizens, specifically banks, insurance companies, and other financial companies.[1]
GDPR legislation applies to you even if you are handling European customer data regardless of your business location. Due to this if you are running a business and if you are into the European market then you will definitely come across the term GDPR.
Why GDPR matters to a IDaaS Solution
IDaaS solutions provide identity and access management as a service. These platforms perform basically three tasks: identify, authenticate, and authorize. To perform this kind of task the system needs some information from the user. Based on that information, IDaaS solutions are capable of making a decision whether this is the right person that has the right access to this resource.
The information that the service needs to make this decision can be categorised into three parts.
- What you know
- What you has
- What you are
What you know usually refers to usernames and passwords. What you have might be a ID or a Passport more of a physical evidence unlike usernames and passwords. What you are referring to is biometrics such as fingerprints, face IDs and stuff.
IDaaS solutions need to process this information to provide an output related to the authenticity of the user. As I described earlier the GDPR is very concerned about personal data that can identify an individual uniquely among others. Which is the very definition of the data used in the IDaaS solution.
Hence If you are developing an IDaaS solution you will be the most affected by GDPR legislation.
What are the PIIs
PIIs if not Personally identifiable information is any data that could potentially identify a specific person uniquely. They can be a name, ID number, Telephone number, fingerprint, email address.
Also there can be situations where non PIIs can also become PIIs when additional information is provided.
Also there can be sensitive and non sensitive PII data. Although insensitive PIIIs such as Name address can be found through some public records, leaking sensitive PII data such as credit card numbers and biometrics should be treated as a data breach.
So we are now in a position where we have a basic idea of what GDPR is and why an IDaaS service. In the next section we will be analysing the requirements that need to achieve GDPR compliance for IDaaS service.
