Management of Lawful Bases for Data Processing
A GDPR feature enhancing midPont’s abilities in connection with lawful basis
Identity management and governance take care of processing personal information following the internal policies of the organizations. However, the privacy legislation was not entirely strong or consistent and it often was not strictly enforced. This will all change when General Data Protection Regulation (GDPR) becomes enforceable.
According to GDPR, there must be a lawful basis for data processing in a form of an employee contract, business contract or other legitimate interest. In other case, the personal information cannot be processed. Most organizations already have a lawful basis to process personal information, however then usually don’t cover all situations.
The lawful bases for processing may overlap, therefore we cannot simply delete the data when a specific lawful basis expires. We need to consider all the active lawful bases to manage the data properly. The lawful basis also may be active even after the original contract expires. For example it is a common practice and even a legal requirement to maintain employee data for several years after the employee leaves. However, if there is no other lawful basis for processing of that data, it may still be required to erase the data once the period is over.
The individuals have also a right to request information about processing of their data, known as subject access request (SAR). GDPR gives data subjects (users) the right to request a very broad information about processing of their data. GDPR also prohibits to charge any fee on subject access requests (unless they are manifestly unfounded or excessive). Therefore, the best strategy would be to automate most of the SAR data processing to keep the process as efficient as possible.
However, many current IT applications do not understand the concept of lawful basis. Some applications have a means to specify account expirations, but vast majority of them cannot handle several overlapping “bases” for the accounts. A typical enterprise IT is composed of tens or even hundreds of applications, therefore the manual management of such data is very likely to be infeasible.
Fortunately a convenient solution exists for years already in a form of identity management and governance. The IDM systems can already reach to all the crucial applications and manage identity data. This is exactly what is necessary to implement proper data protection methods. All that is needed is a modification of the existing approach to provide proper user interfaces and additional mechanisms to support data protection mechanisms.
The regulation is not the only reason to implement good data protection mechanisms. There is a huge overlap of data protection and information security. The accounts that belong to former employees should be deprovisioned due to data protection regulation and also good security policies. The implementation of data protection mechanisms and information security goes hand-in-hand.
Solution: Lawful Bases for Data Processing
We propose to enhance midPoint to improve the support for lawful bases for data processing and thus support the GDPR compliance. As there is a significant overlap between data protection and information security midPoint already has a basic implementation of these mechanisms. We plan to reuse these existing midPoint mechanisms to support the methods required by GDPR. This includes:
- New concept of data protection scope that can be used to model lawful bases for data processing.
- Seamless integration with existing RBAC roles – as many existing lawful bases will have one-to-one correspondence with existing RBAC roles (such as “employee” role) or organizational units.
- New user interface for data protection officers to easily determine and manage lawful bases for existing users.
- Automated processing of overlapping lawful basis with various parameters and time validity.
- Process for erasure and archival of identity data when the last active lawful basis for data processing disappears.
The management of lawful bases will be integrated to existing midPoint user interface and in fact to the entire midPoint core as this is an extension of existing midPoint mechanisms. The management of lawful bases will also be seamlessly integrated with the proposed consent management functionality as consent is just one of many possible lawful basis for information processing. Help us to make realize this idea by giving us your vote!
If you have any questions about this feature, please do not hesitate to contact us .