Identity and access management systems don’t seem to have anything in common with RODO and work of Personal Data Protection Inspectors when you first think of it. And apparently IDM is not a recipe for compatibility with RODO, but it can be quite a useful tool for IODO.
The SimplySec team has been dealing with IDM issues almost since the beginning of the Polish transformation after the fall of communism in our country. We mention it not to show off, but to better illustrate the fact that in this area we do know what we are talking about.
Moving on to the main issue concerning RODO, IODO, and IDM, at first the biggest problem that Personal Data Protection Inspector has in each organization has to be named: at the moment theses are certainly up-to-date consents to access personal data. People create a company so it is like a ’living organism’ which changes all the time. The greater the number of employees the greater the changes.
Therefore, without the real-time full-view of who has access and to which data, and also without identification of the storage and processing of personal data, it is hard to meet legal requirements. Sometimes, it is hard to determinate which of many applications and systems have real access to personal data.
Besides, organizations often use semi-automatic management process. It means that all applications to have access are first approved by a business, and then they are subject to IODO’s approval. And then there is the necessity of periodical reviewing of access legitimization, which may be found not to reflect the reality.
IDM, a tool for IODO
IDM implementation is connected with an overview of permissions for all the systems within an organization. Thanks to that, in IODO’s point of view, the risk of omission in supervising one of the systems is minimalized.
IDM enables IODO to take an active part in the process of granting access to personal data. At the same time, as IDM is an electronic tool, it is possible to carry out inspections as often as necessary.
IDM won’t replace a handwritten authorization when it is required, but it can give an overview of the entire organization. It will be really useful in the extension of expiring authorizations and their evaluations. With IDM the process can be carried out much faster, which in some cases can have a positive impact on ensuring business continuity.
IDM class systems can certainly be a tool supporting activities of the Personal Data Protection Inspector. Their basic function is, of course, ensuring a higher level of security, however, as we have proved with this article, IDM functionalities can also be used in the area of personal data protection.
If you are interested in this article and would like to learn more, please contact us. At SimplySec, we are pleased to share our knowledge and try to support our clients.
Perhaps you will also become one? We do hope so.
We look forward to hearing from you!