Digital identities are a core element of a company’s IT landscape. These identities and their access rights need to be carefully managed. The factors that are involved in identity and access management (IAM) have been described in our blog «What Is Digital Identity Management and How Do You Master It?».
One of the challenges of IAM is compliance with regulatory requirements. While companies using IAM are subject to, for example, data privacy and protection laws, IAM also helps ensure compliance with legal requirements.
No matter what industry or size, regulatory and security compliance is a challenge that all organizations are facing – and that is becoming increasingly complex due to an ever-rising number of regulations and laws.
Join us on our journey to cover some of the most important cybersecurity regulations and discover how IAM solutions help not only with compliance but also with keeping digital identities safe.
In this first part, we will take a closer look at the Swiss Federal Act on Data Protection (FADP) and the European General Data Protection Regulation (GDPR), as well as the Digital Operational Resilience Act (DORA).
FADP and GDPR
A general overview of user rights
The Federal Act on Data Protection
Any Swiss-based or international company dealing with data related to Swiss residents must comply with the Swiss Federal Act on Data Protection. A federal law, the FADP aims to protect the privacy and fundamental rights of Swiss citizens, granting them certain rights.
The General Data Protection Regulation
GDPR is the European Union’s privacy and security law that reflects the EU’s strong commitment to data protection. It imposes strict obligations on any organization that targets or collects data from EU residents, ensuring the protection of their data and digital identities.
These are the most important user rights organizations need to respect under both FADP and GDPR:
- Right to information
Any individual may request information from the controller of a data file as to whether their personal data is being processed. They must be provided with essential details for asserting their rights, including the identity of the controller, the data as such, purpose and duration of data storage, the sources of the personal data, potential automated decisions, and (if applicable) any recipients of the data. - Clear and informed consent
Individuals have the right to decide whether a company is allowed to use their personal data. Organizations must provide clear information on the data collection purposes, the intended use, and retention time before or at the time of the collection. This ensures individuals understand how their data will be used. Generally, «opt-in» consent is required, i.e., individuals must agree to data processing. - Right to object to processing
Individuals can object to data processing when their objection is based on legitimate interests or when data processing is intended for direct marketing purposes. Organizations must then demonstrate compelling legitimate grounds to continue processing. - Right to data portability
Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format. This allows them to easily transfer their data between different data controllers/processors. - Right to erasure (right to be forgotten)
Under certain circumstances, individuals have the right to request the deletion of their personal data. For example, if the data is no longer necessary for its original purpose, consent has been withdrawn, or there's no legal basis for processing it.
A general overview of company obligations
The rights of individuals entail a number of obligations and requirements for organizations and private companies in Switzerland and the EU. For example:
- Duty to inform when obtaining personal data
The data controller must inform individuals about data collection, including the identity of the responsible persons, the purpose of data collection, and (if applicable) the recipients. If data isn’t collected directly from the individual, the controller must specify data categories and, if transferred abroad, disclose the destination and applicable safeguards. Notification must occur within one month of data receipt or at disclosure if earlier, ensuring transparency and user rights.
The obligation to inform does not apply if the individual already has the necessary information, if processing of the data is legally mandated, or if confidentiality laws apply. Other exceptions include more predominant third-party or public interests, legal confidentiality obligations, and public security needs. - Data protection impact assessment
Private and public-sector data controllers must carry out a data protection impact assessment (DPIA) (under GDPR also privacy impact assessment [DPA]) if data processing is likely to result in a high risk to the personality or fundamental rights of the data subjects. - Breach notifications
FADP requires organizations to report cyberattacks or security breaches to users, the Federal Data Protection and Information Commissioner (FDPIC), and all potentially affected stakeholders as soon as possible. Under GDPR, a data breach must be reported within 72 hours. - Privacy by design and default
Organizations must take note of security and data protection principles at the planning and design stage of applications, keeping the privacy of users in mind. This applies to all software, hardware, and services.
How does an IAM solution help with FADP and GDPR compliance?
IAM solutions and well-structured processes effectively support organizations in meeting key requirements of FADP and GDPR:
| How IAM helps with FADP and GDPR compliance | ||
| Topic | FADP / GDPR requirement | IAM benefit |
|
Data security and confidentiality
|
Protecting personal data from unauthorized access, for example, by enforcing the least privilege principle
|
Enforces strict user access control mechanisms, including role-based access control
|
|
Data minimization and
purpose limitation
|
Collecting personal data requires a specific purpose and should be limited to a minimum
|
Allows to implement policies that restrict access based on purpose and revoke access when no longer needed
|
|
Privacy by design and
default
|
Considering security and data protection principles already at the design stage of applications
|
Embeds privacy protection measures into systems and processes by default
|
|
User rights management
|
Enabling individuals to request that incorrect personal data be corrected
|
Provides mechanisms for individuals to access data, rectify inaccuracies, and request deletion
|
|
Auditability and accountability
|
Proving compliance with data protection requirements
|
Allows organizations to track and verify who accessed personal data and when thanks to detailed logs
|
|
Data breach response
|
FADP:
Reporting any data breach to the FDPIC as soon as possible GDPR:
Reporting any data breach to the competent supervisory authority within 72 hours |
Monitors network access and detects anomalies, helping identify data breaches more rapidly
|
- Data security and confidentiality
IAM systems enforce strict user access control mechanisms, ensuring that only authorized individuals can access sensitive personal data. By enforcing role-based access controls (RBAC), they also allow organizations to grant access only to the data necessary for users to perform specific tasks («least privilege»). - Data minimization and purpose limitation
An IAM solution allows organizations to implement policies that restrict access to personal data based on the specific purpose for which the data is processed. Plus, they can automatically revoke access rights when they are no longer needed. - Privacy by design and default
IAM systems ensure that privacy protection measures are embedded into systems and processes by default. For example, strong authentication mechanisms and encryption are integral to how data access is managed and controlled. - User rights management
An IAM solution helps organizations manage user consent by providing mechanisms for users to control their data, including giving, modifying, and withdrawing consent at any time. They can also include self-service portals that empower users to exercise their rights, such as the right to access, rectify, and delete their personal data, and the right to data portability. - Auditability and accountability
IAM systems maintain detailed logs of user access and activities. This enables organizations to track and verify who accessed personal data and when. Comprehensive audit trails help demonstrate compliance with data protection requirements and can be used to respond to regulatory inquiries or investigations. - Data breach response
IAM systems monitor network access and detect anomalies, helping organizations identify potential data breaches more rapidly and ensuring timely notification to authorities and affected individuals.
The Digital Operational Resilience Act (DORA)
A general overview
The focus of DORA is to strengthen the IT security of financial entities in the European Union such as banks, insurance companies, and investment firms by providing strict security standards intended to limit the impact of risks related to information and communications technology (ICT). DORA will also affect Swiss ICT providers (or sub-providers) who intend to offer ICT services to EU financial entities, as well as financial entities in Switzerland who deal with financial entities in the EU or their customers.
DORA is intended to strengthen the financial sector in six core areas, among them:
- ICT risk management
By focusing on ICT risk management, companies are nudged to strengthen their resilience against cyberthreats, which enables them to keep their processes running even during disruptions.
It is of utmost importance that ICT risks are managed thoroughly and that the measures taken are well-documented and understandable. The responsibility for managing a company’s ICT risks lies at management level. - ICT incident reporting
DORA requires companies of the financial sector to monitor, log, and report all ICT-related incidents and base their classifications on the criteria set out in Article 18 of DORA. Major incidents must be reported to the competent supervisory authority.
Besides the reporting system for ICT-related incidents, DORA is also introducing a voluntary system for reporting significant cyberthreats. - Operational resilience
According to the German Federal Financial Supervisory Authority, all financial entities must thoroughly review their information and communications technology by means of a risk-based, proportionate testing program.
These tests, which range from assessing network security to professional penetration tests, are intended to close any security gaps that might harm the financial entities. - Third-party risks
Special attention is also given to third-party ICT service providers. Financial entities that rely on them must carry out risk analyses, assess the suitability of the service provider, and follow the requirements related to the contractual arrangements posed by DORA.
How does an IAM solution help with DORA compliance?
As with FADP and GDPR, IAM can also play a critical role in being DORA-compliant. It helps financial entities to define, manage, and keep track of all arrangements and security measures related to the DORA risk management framework.
For example:
- ICT risk management
DORA requires organizations to implement robust ICT risk management frameworks, ensuring the security and resilience of digital systems. IAM systems enforce access control, MFA, and privileged access management, protecting critical systems and data. - Incident reporting
DORA mandates that financial institutions detect, manage, and report ICT-related incidents, including cybersecurity breaches. An IAM solution provides real-time monitoring and audit logs, as well as supports rapid breach response. - Operational resilience testing
DORA emphasizes the importance of operational resilience testing to ensure that financial entities can withstand cyberattacks and digital disruptions. IAM systems support these efforts through access simulation testing and user behavior analytics. - Third-party risk management
DORA includes stringent requirements for managing risks associated with third-party ICT service providers, including cloud services. IAM ensures strict access controls for third-party vendors, manages external identities, and monitors their activities, reducing risks from ICT service providers. - ICT governance
DORA mandates that financial institutions establish governance frameworks for oversight of ICT risks. IAM systems can strengthen ICT governance through enforcing access policies and periodic reviews. - Cybersecurity
IAM solutions enhance security compliance with MFA, password management, and dynamic access controls.
PAM: The hidden champion for DORA compliance
Privileged access management (PAM) consists of cybersecurity strategies and technologies for exerting control over the elevated («privileged») access and permissions for identities, users, accounts, processes, and systems across an IT environment. By implementing PAM, organizations can enable DORA compliance through various measures. For example:
- Access control
Through enforcing the least privilege principle, PAM systems ensure that only authorized users can access critical systems and data, minimizing risk exposure. - Multi-factor authentication
MFA adds an additional layer of security to privileged accounts, aligning with DORA’s emphasis on strong cybersecurity measures. - Auditing and monitoring
PAM continuously monitors and logs all privileged actions, providing the required audit trails for regulatory reporting and incident detection. This transparency supports DORA’s focus on operational resilience and incident response by ensuring that any unauthorized activity can be quickly identified and addressed.
IAM – a safe choice for your company and your customers
One thing is for sure: the number and complexity of regulatory data protection requirements will keep increasing. Ensuring compliance therefore is and will remain a key business issue for organizations.
As just shown, IAM solutions are a powerful tool to tackle the challenge. They support compliance with numerous aspects of important laws such as FADP, GDPR, and DORA. Plus: In doing so, they significantly increase your organization's cybersecurity posture, thus strengthening customer trust.
Stay tuned! Shortly, we will cover two more important laws in a follow-up blog post: the Eletronic Identification, Authentication and Truts Services Regulation (eIDAS) and the Network and Information Security Directive (NIS2).
