Is your Identity & Access Management (IAM) GDPR-Compliant?

Mar 21, 20245 min readTagsAdequacy DecisionAdministrative FinesData ProtectionData TransferECJGDPRIAMOpen SourceSCCSSO
Security lock on a circuit board standing for the GDPR-compliance of a IAM solution.

Identity and Access Management always involves the processing of personal data. This is because credentials such as an email address and password, or in case of passwordless logins a magic link, etc., must be transferred and compared with stored data. Additional data, such as a phone number or even biometric data, is often required when two-factor authentication or biometric identification comes into play. In addition, the access data is the key to all other data to which the user has access. If, somehow, the Identity and Access Management system can be breached or compromised, identities may be stolen, or valuable data can be exposed.

IAM must therefore always comply with data protection requirements, especially the GDPR. How can this be achieved?

Of course, there is always the option to develop an IAM service internally or to outsource it to a third party. Both cases are evaluated below.

Do it yourself (DIY) IAM and its Pitfalls

Developing your own identity and access management solution can be easy if you only need a simple login function. However, later requirements to add additional functionality, such as single sign-on, enterprise login, social login, passwordless authentication, biometrics, two-factor authentication, etc., can dramatically increase the complexity.

In addition, with a self-developed IAM solution, compliance with privacy requirements becomes difficult once the system exceeds a certain size. This is because the IAM solution must not only be developed in accordance with data protection requirements. It must also always be kept up to date with the latest technology. At the same time, the solution must be scaled, expanded in terms of functionality, and operated on different domains. This is often not economically feasible. Further complexities arise if the task has to be performed by an IT department that actually specializes in other applications.

As a result, once a solution is developed, it often stagnates and is not updated for years. However, using outdated software that does not meet current requirements is in itself a breach of data protection. The data protection authorities have already imposed fines in similar cases. Worse still, in the event of a data breach, this can easily lead to directors and managers being held liable.

Depending on the number of managed users and the sensitivity of the data, an IAM solution must also be monitored and checked during operation. Regular penetration tests may be required. In many cases, certifications are also necessary and extensive documentation requirements must be fulfilled. Compliance must be demonstrated in data protection audits.

Outsourcing the Identity and Access Management

A good solution to these problems is to outsource the IAM to a specialized Platform as a Service (PaaS) company. These cloud-based companies are familiar with common standards such as OpenID Connect, have scalable solutions and are constantly developing them further.

Challenges of IAM Outsourcing With US Solution

However, data protection pitfalls lurk here as well. This is because almost all relevant IAM providers are based in the USA. If data is transferred to these companies, this constitutes a data transfer to a third country, since the GDPR does not apply in the USA.

In the past, such transfers have been cumbersome and complicated because of the need to use standard contractual clauses (SCCs) as a transfer tool. The situation has changed for the better with the EU Commission's adequacy decision, which allows transfers without having to assess each case individually.

However, this is only true if the recipient of the data is actually certified under the EU-US Data Privacy Framework (DPF), which is not always the case. Moreover, the EU-US DPF has not yet been tested in court. This is important because the European Court of Justice has struck down two previous transfer mechanisms that were very similar to the current one. To put it bluntly, it is by no means certain that the EU-US DPF will prevail.

What's more, the transfer mechanism leaves intact U.S. laws such as the Patriot Act and the Cloud Act. These force IAM providers to hand over data, including that of European customers, to U.S. authorities and intelligence agencies upon request. Unfortunately, this is true even if the data is stored on European servers. Therefore, European servers alone are not a GDPR-compliant solution. For this reason, data transfers to the US will continue to be an issue for organizations that process sensitive data.

Partial Outsourcing by Using European IAM Provider

In general, outsourcing has many advantages over in-house IAM. However, since there are not too many relevant GDPR-compliant vendors, partial outsourcing can be considered. With partial outsourcing, a third-party open source solution is used and implemented on the company's own servers. Despite being compliant, the challenges of doing it yourself need to be considered if handled properly.

A European IAM Solution is Needed (And We’ve Got One)!

In summary, the only viable solution is to choose a European provider for the IAM solution. This way, the benefits of outsourcing to a cloud-based or cloud-native solution provider are combined with data processing in the European Union. GDPR compliance is achieved.

In addition, organizations that need an IAM solution can be confident that their users' data is adequately protected, and that data processing is compliant with applicable laws. In addition, they do not need to hire specialized experts to build and maintain an adequate DIY IAM solution.

A desirable situation indeed.

Note: This article was first published in April 2022 and last updated and corrected in March 2024