Is your IAM (Identity & Access Management) GDPR-compliant?

Security lock on a circuit board standing for the GDPR-compliance of a IAM solution.

Identity and Access Management always involves the processing of personal data. This is because at least an e-mail address and a password (or alternatively passwordless with magic link, etc.), and usually also a username, must be transferred and compared with stored data. Additional data, such as a telephone number or even biometric data, is often needed when two-factor authentication or biometric identification comes into play. In addition, the access data is the key to all other data to which the user has access. If, somehow, the Identity and Access Management system can be breached or compromised, identities may be stolen, or valuable data leaked.

IAM must therefore always comply with data protection requirements, especially the GDPR. How can this be achieved?

Of course, there is always the option of developing an IAM service internally or outsourcing it to a third party. Both cases are evaluated in the following:

Do it yourself (DIY) IAM and its pitfalls

Developing your own identity and access management solution can be easy at first if you only need a simple login function. However, later requirements to add additional functionality, such as single sign-on, enterprise login, social login, passwordless authentication, biometrics, two-factor authentication, etc., can dramatically increase the complexity.

Besides, with a self-developed IAM solution, compliance with privacy requirements becomes difficult once the system surpasses a certain size. This is because the IAM solution must not only be developed in accordance with data protection requirements. It must also always be kept up to date with the latest technology. At the same time, the solution must be scaled, expanded in terms of functionality, and operated on different domains. This is often not economically feasible. Further complexities arise if the task has to be performed by an IT department that actually specializes in other applications.

The result is that a solution, once developed, often stagnates, and is not adequately further developed for years. However, the use of outdated software that does not meet current requirements is in itself a violation of data protection. The supervisory authorities overseeing data protection have already issued fines in comparable cases. But even worse, in cases of data breaches this can easily lead to liability cases of directors and managers.

Depending on the number of managed users and the sensitivity of the data, an IAM solution must also be monitored and checked during operation. Regular penetration tests may be required. In many cases, certifications are also necessary and extensive documentation requirements must be fulfilled. Compliance must be proven in data protection audits.

Outsourcing the Identity and Access Management

A good solution to these problems is to outsource the IAM to a specialized Platform as a Service (PaaS) company. These cloud-based companies master the common standards such as OpenID Connect, have scalable solutions and are constantly developing them further.

Challenges of IAM outsourcing with US solution

However, data protection pitfalls lurk here as well. This is because almost all relevant IAM providers are based in the USA. If data is transferred to these companies, this constitutes a data transfer to a third country, since the GDPR does not apply in the USA. However, such a data transfer is only possible under certain conditions. The use of the so-called standard contractual clauses (SCC) of the EU Commission can be considered here. This is a model contract. It is used to contractually agree upon European data protection standards between the parties to a data transfer. When using these standard contractual clauses, the transfer of personal data to third countries can take place without further approval from the supervisory authorities. However, this only applies if the laws and practices in force in the country of the recipient of the data enable the data importer to fulfill its obligations under the standard contractual clauses. Or more to the point: if the obligations under the SCC are not torpedoed by applicable law.

However, that is typically the case for companies based in the USA. This is because these companies are subject to US laws, such as the Patriot Act and the Cloud Act. These force IAM providers to hand over data, including that of European customers, to US authorities and intelligence agencies on request. Unfortunately, this applies even if this data is stored on European servers. Therefore, European servers alone are not a GDPR-compliant solution.

Partial outsourcing or using of a European third party

In general, outsourcing has many advantages over in-house IAM. However, since there are not too many relevant GDPR-compliant providers, partial outsourcing can be considered. In partial outsourcing, a third-party open-source solution is used and implemented on the company's own servers. Despite legal compliance, the challenges of doing it yourself must be considered if handled properly.

A European IAM solution is needed

In summary, the only viable solution is to choose a European provider to supply the IAM solution. This way, the advantages of outsourcing to a cloud-based or cloud-native solution provider are combined with data processing in the European Union. Thus, compliance with the GDPR is achieved.

Besides, the organization in need of an IAM solution can be sure that the data of their users is adequately protected, and that data processing complies with applicable laws. In addition, they do not have to employ specialized experts to create and maintain an adequate DIY IAM solution.

A desirable situation indeed.