The General Data Protection Regulation (GDPR) finally comes into effect on Friday, May 25, 2018. The most significant change to European data protection laws in twenty years, GDPR will not only impact firms resident in the European Union (EU), but around the world, as any organisation doing business with EU citizens must comply with the regulation.
When it comes to authentication in the new era of GDPR, there are three things that every organisation should know:
- GDPR requires companies to implement data protection safeguards. Last year, 81 percent of all breaches were due to attacks that exploited weak or stolen passwords*. Strong, multi-factor authentication (MFA) is a fundamental building block of cyber security and data protection. Any approach to data protection that does not include the use of MFA is incomplete. But it’s important to remember that not all forms of MFA are created equal – older, first-generation MFA technologies are less effective now that attackers have learned how to bypass them.
- GDPR requires firms to respond to requests from individuals to view, change, delete, or transfer their data. It also means that businesses have to demonstrate that they obtained the consent from individuals to process their data, or explicit consent if the data is of a sensitive nature. In order to fully comply with this requirement, organisations must also be able to authenticate the identity of people making these requests.
- Biometrics are one of the most promising technologies available to deliver strong authentication, offering enhanced security and a far simpler user experience. However, GDPR highlights biometric data as a “sensitive” category of personal information requiring robust protection. Therefore, any entity implementing biometric authentication must ensure that its use of biometrics is compliant.
FIDO Alliance standards were created from the outset with a “privacy by design” approach and are a strong fit for GDPR compliance. Crucially, FIDO delivers authentication with no third-party involvement or tracking between accounts and services. And when it comes to biometrics, FIDO standards prevent this information from being stored and matched in servers – it never leaves the user’s device – and FIDO(R) Certified devices do not allow for any biometric data to be captured.
For more information about GDPR and how FIDO Authentication works, download our new white paper.