The phrase always makes you think. Data privacy has a day, for people to focus on, think about it, and work towards betterment privacy. But what is data privacy? Should we call this something more relatable to people? Privacy is all about a person. Data doesn’t need privacy. People and what is important to every one of them needs privacy: their identity, their lives, and their information. Older laws were only focused on data, while newer laws are becoming more and more focused on the people. GDPR started the way, but the California Consumer Privacy Act (CCPA) is moving beyond a single person to recognize that even families have the right to privacy. Privacy is evolving, and the tough part for all industries is the speed of this change and the requirement that they legally have to keep pace with this evolution.
So the first thing that you have to focus on for privacy, is identity.
All the intricate little pieces of the person’s identity and together to make a person what they are. Many of those pieces of data are parts of their lives that people would rather not share with everyone. And they shouldn’t have to. So yes, privacy has to start with identity. Interestingly enough, most people have their identity and their lives, split into two parts. The first part is their personal life identity. The second part is that a corporate or business life identity. The first part is heavily managed by the services they use, so in the end very much about self-management. The second part is something that gets managed, more often than not, by their employer. Now, of course, there is some self-management there, but it takes an ethical employer to go far to support their employees in protecting their privacy.
Our corporate tagline is “security starts here”. Since security starts with privacy, and privacy starts with identity, sometimes I think it should be “privacy starts here”. The only way a business can manage the privacy of their employees is to manage their corporate identities. This includes making sure the right people have access to the right data. This includes validating that the data you have is correct, as incorrect data on a person can lead to mistakes that can cost them dearly, professionally or personally. That’s why data privacy laws almost always deal with the correctness of the data.
Just like in identity management, there are some fundamental concepts that you have to focus in on for privacy. It’s usually a good idea for the head of identity management and whoever is handling the privacy initiatives for a company sit down together and have a conversation. Quite often, each site goes on thinking they are working the bubble. And when they start talking they realize that this bubble includes both programs both the program for identity management and program for privacy and compliance.
The first fundamental concept for identity management is always authentication. You need to ensure that the person that connecting into a system is who they say they are. Identity management works to make sure that it’s the right person, while from a privacy program side authentication is much broader. What is it? From the privacy side, the main components of authentication are to provide control of who has access, utilizing specific individual access when it’s needed instead of some folks' concept of everyone that seems to lead to so many breaches. It also provides a notice of what you’re doing, you are logging into a system and that’s a very specific thing in the privacy world.
The second traditional concept for identity management is authorization. Authorization provides additional controls for getting the right data, the right information, only to the right people. This reduces access rights from everyone to the people that are appropriately needing the data, and only when appropriate. An incredibly important concept in the world of privacy, without this control, there is no privacy program, because it has failed.
The third traditional concept for identity management is administration. In identity management, this is controlling how authorization and authentication work. This is managing the provisioning and the numerous tasks that surround that provisioning and surround those controls. This can be roles, this can be attributes, but in the end, it is making sure the right person has the right controls. The privacy world these requirements are the same. Only the right people should have the right access to the right data.
The last piece of the traditional identity management program is audit. This is the concept that you can prove who had rights, who had access, and who used those rights to access data. This concept is mandated in privacy and compliance laws such as the GDPR. In identity management, this is what we want. The privacy world, this is what’s legally required.
So in essence, identity management is where privacy begins. The concept is simple. The right people, get the right access, to the right resources and only the right resources, at the right time in the right way - and you can prove it.
If you are the privacy officer of the company, you should reach out and speak to your identity management lead. And vice versa. You have more in common than you think.
Please think about the privacy of people during this Data Privacy Day.
About the author
Robert Meyers is a Compliance and Privacy Professional and Channel Program Solutions Architect for One Identity. He is a thirty-year veteran of the Identity and Access Systems and Information Security industry, with more than 10 years of that time focused on planning, supporting and managing privacy programs, such as FERPA, HIPAA, GDPR and CCPA. His experience also includes leadership responsibilities for nearly one hundred mergers and acquisitions. Robert regularly speaks at events about privacy topics. His extensive certifications includes IAPP Fellow of Information Privacy, CIPP/E, CIPT and the ISACA CISM.