Identity audit: how to be a good steward of customer data and privacy rights


The strict handling of customer data has become more necessary in recent years, thanks to the enactment of strict privacy laws like the GDPR and the CCPA, and even more regulations in this direction are expected to come into force in 2023.

Now is the time for your organization to ensure that its customer data collection, retention, and policies comply with privacy rules and regulations. Here’s why and how to perform an identity audit, and how customer identity and access management (CIAM) solutions can help.

Requirements of privacy laws and regulations

“The days of treating a client as a static combination of account and password are long gone,” states an unpublished white paper prepared by Ping Identity. “The need to manage entitlements, privileges, entitlements, grants and consents throughout the lifetime of a customer’s relationship with your brand is clearly incumbent upon us.”

Nowhere is this truer than in Europe, where the General Data Protection Regulation (GDPR) is mandatory in all 27 member states of the European Union, plus the UK, Norway, Iceland and Liechtenstein.

The GDPR applies to organizations with customers in one of the signatory countries, regardless of their physical presence. If your business sells goods or services, registers users, or even just assigns browser cookies to people in Western or Central Europe, it must comply with the GDPR.

The law states that all consumers should know whether personal information will be collected and how it will be used, and allows consumers to opt out of data collection. It also allows consumers to directly request or make changes to their stored data, including correcting it, completely deleting it, or recovering it in machine-readable form for transfer to another service.

“All of the organization’s plans and policies – for example, Data Protection Plan, BOYD Policy, Incident Response Plan and Business Continuity Plan – must be GDPR compliant,” wrote Dimitar Kostadinov from the Infosec Institute in a 2018 blog post.

Most importantly, organizations need to document their GDPR compliance, which requires regular privacy and identity audits. Heavy fines can be levied against companies that fail to comply, with the most severe penalty possible being 20 million euros ($20.4 million) or 4% of worldwide turnover, whichever is greater. raised.

Tiny Luxembourg fined Amazon 746 million euros ($762 million) for compliance violations in 2021, the Biggest GDPR penalty yet. Facebook and WhatsApp were together fined at least 285 million euros ($291 million). Google and its subsidiaries have been fined at least 200 million euros ($204 million) by the French data protection office.

On this side of the Atlantic, the California Consumer Privacy Act (CCPA) became law in 2020. It is less stringent than the GDPR, giving consumers less control over their personal data and imposing lower fines.

However, the California Privacy Rights Act (CPRA) supersedes the CCPA and takes effect on January 1, 2023. It gives consumers much of the same powers as the GDPR, including the right to correct, delete, or transfer personal information. Colorado, Connecticut, Utah and Virginia also have privacy laws similar to the CPRA all of which will enter into force in 2023.

In the meantime, old customer data laws and regulations must still be adhered to. The United States has the Health Insurance Portability and Accountability Act (HIPAA) and the Children’s Online Privacy Protection Act (COPPA), while Canada has the Personal Information Protection and Electronic Documents Act (PIPEDA). Organizations that accept credit card payments must comply with the Payment Card Industry Data Security Standard (PCI DSS).

How to perform an identity audit

The best way to prove compliance with privacy laws is to perform an identity audit, which Oracle defines as “the systematic capture, analysis, and response to identity data across an enterprise to ensure compliance with internal and external policies and regulations”.

According to Oracle, the objectives of identity auditing include detecting and correcting compliance violations; identify duplicate or conflicting accounts; feedback on the effectiveness of internal controls; preparation of comprehensive audit reports; and finally, certification of compliance.

Identity audits can be seen as an extension of privacy audits, designed in the 2000s to comply with HIPAA and other existing data protection laws. Today, in the wake of GDPR and CCPA, the terms are often used interchangeably, although identity audits can involve customer account management, especially when combined with CIAM solutions.

“Privacy audits must be transparent and demonstrate that organizations are doing what they claim, especially as customer information has gone from scarce to incredibly abundant,” wrote Patrick Mallory of the Infosec Institute in 2019.

In order to perform an identity audit, your organization must determine:

  • Exactly which data privacy laws, regulations or frameworks must be adhered to
  • How, why and what types of customer personal data is collected, processed and stored
  • How consumer data is protected, such as what type of encryption is used both at rest and in transit
  • How consumer personal data flows through your organization and if it is shared with third parties
  • How the collection, processing and storage of customer data is documented and recorded
  • What types of consent a customer must provide for the use of personal data
  • How personal data is disposed of when the user revokes consent or terminates an account
  • How employees are trained to process customer personal data
  • What type of mitigation is appropriate for any compliance violation

Auditing can be done manually with questionnaires and spreadsheets, but it can be time consuming. In an April 2021 blog post, Garret Grajek of YouAttest estimated that a manual audit could take half an hour per identity, which is a daunting task when thousands of individual user accounts are involved.

How a CIAM solution can help you

CIAM solutions provide automated platforms to manage customer identity and access to public organizations’ websites and mobile applications, delivering a smooth and seamless user experience while enhancing security and privacy. Many CIAM solutions also provide identity verification, which links accounts to real people, and are designed to be GDPR and CCPA compliant.

However, CIAM vendors are only beginning to implement automated identity auditing into their platforms. Ping Identity calls this “one of the biggest technology and process gaps associated with customer experience and security.”

Ideally, the CIAM-driven identity audit should highlight compliance violations and issues with customer accounts, combine multiple accounts held by the same person, and provide auditors with the data they need. But it may take a few years for such features to become standard among CIAM solutions, despite their obvious necessity.

“We are rapidly moving towards a world where there is no workforce identity, no customer identity, and no citizen identity,” Ping’s whitepaper says. “There is only one digital identity where these silos have collapsed into each other.”


Comments are closed.