GDPR in Soffid
Soffid IAM (Soffid Identity and Access Management) software suite covers certain parts of the European General Data Protection Regulation (GDPR). This regulation mentions that best practices should be implemented in regard to Information Systems security. Best practices in this topic are covered by ISO 27001. Therefore, this document also presents Soffid’s coverage of the ISO 27001 (Information technology — Security techniques — Information security management systems — Requirements).
Out of a total of 11 Chapters with a total of 99 Articles in the GDPR, Soffid has substantial contribution in 3 Chapter and 16 Articles. Regarding the ISO 27001, Soffid has nearly full coverage of section A.9 Access control. On top of this, Soffid contributes with coverage of control in sections A.6 (Organisation and Information Security), A.7 (Human resources security), A.8 (Asset management), A.11 (Physical and environment security), A.12 (Operations security), A.15 (Supplier relationships) and A.17 (Information security aspects of business continuity management).
Summary of the regulation
On April 14, 2016, the European Parliament approved the General Regulation on Data Protection, with direct application in Member States.
Regulation enforcing date
The new legal framework for data protection will apply as of May 25, 2018.
Impact on processes
This normative change has a clear and important impact for the organizations, since it implies new obligations for the same that will affect not only the traditional fulfillment but also, and in a very important way, to the processes, as well as the way of analyzing the risks of privacy.
Main points of impact of the regulation:
1. The territorial scope is al EU states.
2. Data protection principles are expanded and reinforced: Limitation of purpose, data minimization, accuracy, limitation of preservation, integrity and confidentiality; and proactive responsibility.
3. Recognition of new rights to data subjects: Right to portability of data; right to oblivion; right not to be subject to decisions based solely on automated data processing – profiling; right to claim and appeal to the supervisory authority or to the person in charge.
4. Legal basis on which treatments are developed. Obtaining unequivocal consent. Specify and document legitimate interest.
5. New obligations: Registration of processing activities; Notification of security breaches; Data Protection Officer. Processes for attention to the exercise of rights
6. New paradigm in data protection: responsibility of accountability; privacy from design and default; impact assessments on data protection.
7. Self-regulation and certification: adherence to codes of conduct; establishment of certification mechanisms, seals and trademarks.
8. New sanctioning regime: penalties up to 4% of total annual global turnover.
Soffid, being an integral solution of access control and identity management, provides the following solutions (within the framework of this new regulation):
1. Organization of data by identity, unification and quality of data. Unique location of data, conservation, integrity and confidentiality of data.
2. Obtaining data, portability of data, right to forget and obtaining consents with the integration of Soffid business process manager.
3. Management of all the processes and treatments that are done to the data. Audits and reports of all operations carried out on the data, solving the obligation to have a Register on the treatment activities.
4. Notification and detection of security breaches
5. Certification process managed by Soffid.
The Soffid team