Access management in a post-GDPR world

When it was introduced in May 2018, GDPR radically changed the way that the world viewed data. For area owners in charge of rights management for organisations, the already complex task has been made even more difficult. And with the threat of fines of up to €20 million or four percent of a firm’s global turnover (whichever is greater), the manner with which these area owners handle data has become more important than ever before.

The management of access rights has never been a simple task. It is a complicated process of ensuring that the right people have the correct level of access to certain physical and digital infrastructures. For a small business with a handful of people and few access points, it can be fairly straightforward. However, at scale, it is incredibly difficult to manage – a challenge exasperated for area owners by the extra pressures of GDPR. For businesses that did not already adhere to the best data practices necessitated by GDPR, they were forced to overhaul their approach in order to be compliant and standardised across multiple sites.

One big difference is to do with identities that no longer are associated with the company. Companies could previously get away with forgetting about a former employee with little recourse. One individual ex-employee’s identity is practically nothing in terms of file size, so it is often easier to do nothing. But now with GDPR, that oversight has the potential for serious consequences. Businesses must ensure that they can account for each and every identity on their network, and that they do not house the information of people with which they are now no longer associated. This is without even mentioning the ‘right to be forgotten’ – which ex-employees are certainly justified to demand.

While privacy policies and laws (such as the GDPR) have made it harder to steal data, they have also had the inverse effect of making data breaches even more costly. Within the cybersecurity world, 2018 saw the rise of two particular strands of malware – Emotet and TrickBot. Both are focused on stealing information, and using infected systems to spread across to other endpoints. These, along with other information-stealing Trojans made up a little under half of all malware in 2018, and that figure is only likely to grow going forward.

Within our industry, we are also seeing a surge in mergers and acquisitions that has led to a growing interconnectivity. As organisations expand and merge their access control systems (ACS), access rights management becomes increasingly complex. This is especially true when these organisations are driven to move their cardholders onto a one card solution, to consolidate systems and find new efficiencies to improve their day-to-day operations. Businesses are looking for efficiencies because of the overwhelming piecemeal approach to security.

With regulators and hackers now both being more intently focused on data and information than ever before, and with area owners seeking a more consolidated system for managing access privileges, a balance must be met between lowering risk, restricting access and ensuring convenience. But this can be tricky when there isn’t an efficient and consistent way to manage access rights and automate the process. At its extremes, everyone either has access everywhere or administrators are too cautious.

Employees, contractors and visitors rely on access control systems to allow them entry to the areas they need every day. Limiting the ability to make access rights changes might have worked at one time, but it is an impractically clumsy way of operating in the modern day. Should an identity need to request a change (for example, a cleaner who needs to access a floor they wouldn’t normally because they are covering for someone who is off sick), most of the time they will have to visit their badge office or receptionist, further delaying the process. From there, operators often don’t know who should have access all areas at all times, so they have to ask or they guess.

This manual approach to the management of access policies can put a strain on an operations team, which then draws focus away from their core responsibility of protecting the company’s people and assets. The manual approach can compromise efficiency, lead to human error and increase the chance of security breaches.

With this in mind, organisations should look for a solution that can standardise and automate their security policies. A centralised system that unifies all of the identities in one, clear interface will heighten security – and compliance – without compromising operations and everyday activities within the facility. Through increased operational efficiency, these standardised policies not only proactively protect their employees, buildings, and assets – but they’re better equipped to comply with internal and external regulations. This can be achieved with a cloud-based architecture that allows users to both distribute identities across sites, and centralise their policies. This kind of unified solution lowers operational risks by moving away from the manual method, and removes the friction employees face when requesting and receiving access to secure areas.


By Nick Smith, Regional Sales Manager at Genetec

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.