Privacy and IAM: What You Need to Know

August 21, 2019

From credit agency breaches and stolen credit cards to GDPR and social media data, privacy has been very much in the news lately—and it’s an issue undoubtedly on every CEO’s mind. A Gartner survey ¹ found that concerns about “rapidly accelerating privacy regulations” have become the top emerging risk for executives.

Although most clients come to Integral Partners seeking solutions around identity management, privileged access, and governance, cybersecurity is a broad and interconnected domain. Many of our clients are also tackling privacy issues, and they’re wondering how IAM and privacy overlap.

We like to help our clients see around corners, so we wanted to share our thoughts on the topic of privacy. We hope these considerations will help you anticipate and plan for future trends, events, regulations, and strategy.

Customer vs. Worker Privacy

When it comes to identity and access management (IAM), we see essentially two kinds of privacy: customer privacy and worker privacy. How are they different? From an organization’s perspective, customers are the people who pay you for your services, while workers are the people you pay for their services.

Many organizations currently treat customer and worker data alike: they apply the same rules and regulations that were developed for workers’ identities to customers, too. Yet these datasets are very different, and they require different tools to manage their controls. For example, most IAM systems typically don’t manage the customer data lifecycle; they manage the workers who manage those customers, and who have access to those customers’ data. At a retail company, for example, an IAM system would manage employees with access to data in a customer rewards program. At a healthcare company, where patients are considered the customers, IAM solutions would manage the workers who might have access to patient data.

Customer Privacy Is Top of Mind

In many companies, customer data is considered to belong to whichever business group—often sales or marketing—that interacts with and manages the customers. (This is in contrast to worker data, which typically is seen as the purview of IT.) Customer data is frequently fed into business intelligence, marketing data, and other applications, which makes it enormously useful for companies but complicates the process of safeguarding its use. As a result, many organizations’ IT groups have not yet taken on the responsibility and risk of protecting customer data. But this is shifting, due to the introduction of new rules and expectations around how customer data is handled.

Customer privacy is top of mind for many executives today because breaches of customer privacy fill the headlines. These breaches range from hacks and security holes to third-party negligence and insider leaks. Such violations have become common, costing companies billions of dollars and sometimes costing CIOs or CEOs their jobs. Many executives don’t even know where their customer identities are kept or who has access to customer data, yet ultimately they are responsible for its safety.

GDPR’s Impact on Customer Privacy

The General Data Protection Regulation, which went into effect in the European Union in 2018, prescribes rules for how organizations collect, manage, and protect citizens’ personal data. For example, data collection must be disclosed, stored data must be anonymized, and data usage must be done only with individuals’ informed consent. The law requires organizations that process user data to designate a “data protection officer” responsible for GDPR compliance, and violations of GDPR can result in significant financial penalties. GDPR also provides citizens with the “right to be forgotten,” in which individuals can request that certain kinds of information be deleted from company records.

Although GDPR is an EU law, it applies to any multinational organization that “processes” data on individuals inside the EU. Many US-based organizations already are complying with GDPR; in fact, any company whose website is available to European visitors already has modified its terms of service. What’s more, many companies now assume that similar regulations will arrive soon in the US. Each time there’s an instance of companies betraying customers’ trust or misusing their users’ data, it increases the volume of voices calling for the US to implement requirements similar to GDPR.

Many companies are struggling with GDPR compliance because the controls required to “forget” a user’s data set don’t yet exist, and the methods necessary to create them will be complex and costly to implement. In the meantime, companies are trying to figure out how to maintain a good reputation for protecting customer data while not being penalized by government agencies when they’re audited. American companies are wary that GDPR is coming this way, and some are scrambling to prepare.

Worker Privacy

Although worker privacy often is perceived as less of an issue than customer privacy, it’s still very much on the dashboard of executive concerns. Shifting opinions about how customer data is handled are influencing the consensus about how worker data should be managed, too.

The privacy of worker data typically has been the domain of security and administrative protocols. When employees accept a position at a company, they enter into a contract with their employer and acknowledge the need for some amount of collection and storage of their private data. Technology solutions have evolved to help companies safeguard this worker data, ensuring that it’s protected from outside breaches and accessed only by the right people inside the company, at the right time. This is the domain of IAM.

Workers traditionally have perceived that they have less right to stipulate how their employee data is used than their consumer data. There’s no “right to be forgotten” when it comes to worker privacy, and in fact many organizations are bound to retain employee data, even after the worker has left the company, for tax and legal purposes. Yet many workers increasingly feel a sense of ownership about the identities sitting in their employer’s HR database. This could be the influence of the growing consumer privacy-rights movement, but workplace demographics may be responsible, too. While older generations accept that companies will keep information about them, Millennials don’t necessarily make this assumption, despite giving away a great deal of information in their personal lives.

As employers utilize their workers’ data in new ways—for example, connecting personal fitness trackers to company incentive programs, using individuals’ thumbprints as access mechanisms, or installing monitoring software on company-issued laptops—the questions about appropriate data management will only escalate.

Changes Around the Corner

How many customers actually read the terms of service for the companies they patronize? How many companies are transparent with customers about their data and how it will be used and stored? To-date there’ve been few repercussions for companies that suffer privacy breaches, because many consumers seem to feel that the benefits outweigh the costs—that the forfeiture of privacy is the price they pay for access to the technology.

However, as both customers and companies become more aware of and educated in the issues surrounding privacy, the headlines will likely have legal ramifications. Gartner predicts that “by 2020, the backup and archiving of personal data will represent the largest area of privacy risk for 70% of organizations, up from 10% in 2018”.

Problem-solving privacy issues isn’t likely to be quick or easy. Some companies will advocate for customer and worker privacy, and some won’t. People will increasingly demand privacy, while companies work to comply with that demand. Companies will realize that they need to identify clear ownership of the data, ensure that it’s centrally managed, and enforce controls, regulations, and workflows in a consistent, secure way. And they will understand that differences between worker privacy and customer privacy may require different solutions and expertise.

Recommendations for Privacy Considerations

Following are some ideas for where to begin thinking about privacy issues inside your organization.

  • Engage executive leadership, to get support and sponsorship for efforts around privacy, and setup regular meetings with executive stakeholders for guidance and decision making as the work progresses.
  • Consider where your customer data sits, and who owns it. Is Marketing or Sales the custodian of your customer data, or does it live with a different department? What employees or third parties have access to it?
  • Determine what regulations or controls apply to your customer data, both now and in the future. If you’re a healthcare company, for example, it’s not just HIPAA that you need to consider—GDPR may soon be in your rear view mirror.
  • Determine what policies are in place for privacy. Privacy policies for customer data should be distinct from internal user data privacy, as the regulations and expectations around each are unique. Review existing policies, and fill the gap on any missing policies. Ensure that the right level of authority has a voice in policy design that involves risk and security.
  • Reassess. As a result of reviewing these regulations and controls, what did you discover you don’t know, and need to know? What needs to change about how your customer data is stored and accessed?
  • Ensure that you have a centralized IAM system of controls for all your worker data—this means not just employees, but contractors, partners, and vendors. Automation, audit-compliance, and regular policy review are table stakes; even better is a roadmap and strategy for how your organization plans to tackle oncoming regulatory changes.
  • Find someone who can provide guidance in developing a strategy. Compliance people tend to be very focused on the present, for example, whereas companies need to be thinking about the near-term and long-term future. What are customers asking for now, and what will they want a year from now? If companies can anticipate and be prepared for these demands and concerns, they can respond more quickly at a lower cost.