Why AD360
 
Solutions
 
Resources
 
 

Privacy Laws: The watchdog of authentication evolution

By Aravind
Published on March 15, 2022

Over 137 countries have implemented data protection or information privacy laws to prevent the misuse of their citizens' personal data. Some of the notable examples of data protection regulation laws include the General Data Protection Regulation (GDPR) , a framework on data protection and privacy that sets guidelines on the procurement and use of personal data by organizations operating in the European Union. Other examples include the California Consumer Privacy Act of 2018 (CCPA) and its amendment, the California Privacy Rights Act of 2020 (CPRA), which will be in force starting on January 1, 2023. Compliance with all of these regulations extends to any organization conducting business in these geographies whether foreign or domestic.

The relevance of implementing data regulation policies in authentication has increased with the emergence of identity and access management. IAM utilizes credentials that are also based on sensitive information related to the user and device characteristics such as facial identity, fingerprints, geographical location and device-related specifications. Organizations are steadily gravitating towards IAM, as a survey by Fortune Business Insights predict that "IAM market is projected to grow from USD 13.41 billion in 2021 to USD 34.52 billion in 2028 at a CAGR of 14.5%."

With privacy regulations set in motion, IAM solutions will be directed to implement ethical cybersecurity practices for processing the personally identifiable information given by users. Some of the core principles that benefit both user and the service include:

Data security by design

An important aspect of privacy regulations is the emphasis on cybersecurity solutions to accommodate data protection measures by default. Article 25 of the GDPR requires security processes to include technical organizational measures such as anonymization and data minimization as a fundamental part of its core functionality. Apart from protecting the rights of subjects, data protection by design can also benefit organizations. Using data minimization, which refers to the collection of an optimal amount of data from the user by a cybersecurity solution, organizations can run an efficient and simplified authentication process without having to deal with overwhelming amounts of data. Handling minimal data also makes businesses less prone to debilitating cyberattacks.

Another strategy to guarantee data minimization is the periodic deletion of data. Article 17(1)(a) directs processors to delete data if it becomes unnecessary for the purpose it was initially collected for. By promptly deprovisioning invalid user accounts, organizations can curb the expansion of threat surface as attackers often use dormant user profiles as entry points to infiltrate networks.

Some of the most important provisions that uphold both data minimization and user consent is the "right to delete" and the "right to know" provisions secured by the CCPA, which empowers users to recall and delete the information collected from them by organizations.

Emphasis on transparency

The privacy laws have established well-defined roles for data protection officer (DPO), who acts as an intermediate between the data subject and the officials who are involved in the processing of personal data. According to Article 39 of the GDPR, the responsibilities of a DPO are:

  • To inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
  • To monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
  • To provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
  • To cooperate with the supervisory authority;
  • To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.

Supervising testing and upgrading systems is the responsibility of DPOs. In addition to ensuring that the organization complies with the regulations, the DPO is also responsible for maintaining accountability by reporting cyberthreats and data breach to the supervising authority of the organization.

Besides that, Article 33 of the GDPR states that in case of a personal data breach, the supervisory authority must be notified by organizations within 72 hours, and if it poses risks to the rights of users involved in it, Article 34 directs organizations to communicate the breach to the latter without delay.

Demarcation of data

Privacy laws have also played a major role in classifying the types of data that are procured by processors. The AB-375 provision of the CCPA has defined personal information as information that identifies, relates to, or could reasonably be linked with you or your household and further specifies it as follows:

Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

Biometric information

Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.

Geolocation data

  • Audio, electronic, visual, thermal, olfactory, or similar information.
  • Professional or employment-related information.

Additionally, the CCPA and the GDPR have also established conditions for the procurement and the processing of personal data pertaining to non-adults. According to Article 8 of the GDPR, the processing of data of a child is deemed lawful only if he or she is at least 16 years old, provided that the data collection is authorized by holder of parental responsibility for the child. Such demarcations are necessary to enforce special protection for children's personal data, as they may not be aware of the implications of such practices.

How authentication systems benefit from data privacy laws

Data protection laws, while providing the user with more control over their private information, do not render authentication systems powerless. Standardization helps formalize the processes that must be followed by organizations delivering cybersecurity-based solutions: eliminating outdated information, threat assessment, and updating the status of security incidents to stakeholders.To summarize, privacy laws prioritize user experience while simultaneously accommodating technological advancements.

Related Stories

 
Chat now
   

Hello!
How can we help you?

I have a sales question  

I need a personalized demo  

I need to talk to someone now  

E-mail our sales team  

Book a meeting  

Chat with sales now  

Back

Book your personalized demo

Thanks for registering, we will get back at you shortly!

Preferred date for demo
  •  
    • Please choose an option.
    • Please choose an option.
  •  
  •  
    This field is required.

    Done

     
  • Contact Information
    •  
    •  
    •  
    •  
  • By clicking ‘Schedule a demo’, you agree to processing of personal data according to the Privacy Policy.
Back

Book a meeting

Thanks for registering, we will get back at you shortly!

Topic

What would you like to discuss?

  •  
  • Details
  •  
    • Please choose an option.
    • Please choose an option.
    Contact Information
    •  
    •  
    •  
    •  
  • By clicking ‘Book Meeting’, you agree to processing of personal data according to the Privacy Policy.