January 16, 2018 Blogby Corné van Rooij

IAM will never be the same with GDPR - Part 1 of 9

Long time, Identity and Access management was all about managing a user’s identity lifecycle, often an employee. Role-based access control (RBAC), identity governance, role mining and cross-domain SSO were top of mind for every IAM expert.  While this is not over and behind, we see a new topic that will shape the world of IAM forever and this time, it comes out of Europe and is called GDPR.

Ever heard of GDPR?

The European Union General Data Protection Regulation took about 4 years of negotiation, is 200 pages long and entered into force April this year. It will be in full force 25th May 2018 for all EU countries, no ratification is needed. So you can’t get around it, and by the way, Brexit will not be finished so also UK citizens will be protected by this law.

Now you might say, so what, is this something new and does this have a relationship with IAM? Yes, it does. And big time too! It will affect all business with civilians, consumers, individuals, that have a need for having or handling personal data. It’s all about how you gather, store, protect and life cycle that data... so it’s almost all about IAM. And unless your e-business is not towards consumers nor do you have the need to know them, you will be affected by too many if not all of the aspects of this law.


25th May 2018, we have a lot of time...

Yes, you don’t need to be compliant with handling identity-related information till 25th May 2018. But you need to do a lot to get there and it’s not unrealistic to say you need at least a year to shape the IAM around your companies e-Business to be compliant and don’t risk fines that can lead up to €20m or 4% of global annual turnover for the preceding financial year, whichever is the greater, being levied by data watchdogs. For other breaches, the authorities could impose fines on companies of up to €10m or 2% of global annual turnover, whichever is greater. 


Download GDPR Readiness Master Toolset


In the next months, we will take one of the 8 topics below that need to be addressed with IAM to be GDPR compliant. This law is for once not about ‘ticking the boxes’ but all about taking good care of your customer’s privacy, protect his/her personal data and be transparent on what you do with it and how you use it. If you do it right, they will love you for it and it will make your business more trustworthy. Never before, IAM was on the COOL side of IT and closer to your company’s core business as ever.

In a series of 9 blogs, we will dive deeper into the specific parts of the GDPR and their effect on IAM. 

  1. Why IAM will never be the same.
  2. When should consent be requested?
  3. Why transparency is key to building trust.
  4. Strict regulation of automated individual decision making.
  5. What is sensitive personal data?
  6. Privacy by Design & Data protection by Design.
  7. Special rights for the individual like “right to be forgotten”
  8. Data breach communication.
  9. Children's privacy under GDPR.

Feel free to repost this blog on your website! But when you do so, please be so kind to mention the source and give us a notice via marketing@iwelcome.com

Corné van Rooij

Corné van Rooij VP Product & Strategic Alliances at iWelcome and IAM GDPR Specialist

VP Product & Strategic Alliances at iWelcome

Corné has been working in the security market for more than 20 years of which the last 15 years at two well known Identity Management Vendors.