Meeting GDPR Compliance Requirements with FIDO
The GDPR has been in effect for six months now and as an EU citizen, I’ve noticed the GDPR compliance requirements in action. I’ve been bombarded with emails and consent forms requesting permission to share my personal details, for everything from the online companies I order from, to my children’s schools.
Through an EU legislation framework, the GDPR has far-reaching consequences around the world. Every organization operating, storing, or processing the data of EU citizens is subject to GDPR requirements. That doesn’t mean all impacted organizations are ready and compliant. Those who aren’t remain fearful of the steep fines and penalties associated with non-compliance, going so far as to post online messages such as: We notice you are visiting this website from outside of the U.S. and therefore can’t display this information.
So far, no fines have been issued as the different Data Protection Authorities are adopting a more lenient posture and giving businesses time to adjust to the new rules. However, the first penalty cases are expected shortly. Which begs the question, how do you implement the appropriate solutions to make sure you’ve met GDPR compliance requirements? And, how will you avoid passing the compliance burden on to your customers?
The answer is simple: FIDO. FIDO fulfills GDPR compliance requirements by design. It is a standards-based authentication framework vetted by countless industry experts. FIDO’s drive to make authentication stronger and simpler (with an emphasis on privacy) also ensures that the user experience is free of unnecessary friction.
To explain why FIDO authentication is a good match to achieve GDPR compliance, let’s take a closer look at some of the key requirements: data protection, capturing consent, and biometric authentication.
GDPR Compliance Requirements for Data Protection
There are several articles in the GDPR legislation referring to data security, each treating different aspects such as data minimization, integrity, confidentiality, and data breach notification. All of these principles form the core of what we can describe as data protection. What it boils down to is that businesses are required to implement data protection safeguards. The easiest way to accomplish this is by implementing strong multi-factor authentication (MFA).
A simple username and password combination no longer suffices since passwords can easily be stolen or exploited. The European Union Agency for Network and Information Security (ENISA), which advises member states and private sector organizations on implementing EU legislation, strongly recommends using two-factor authentication (2FA) to safeguard personal data. An example of a second factor would be a one-time password (OTP) generated by a hardware token or through software authentication on a mobile device. Two-factor authentication provides a secondary layer of security that makes it more difficult for hackers to access a user’s devices and online accounts.
Some forms of MFA are more secure than others. SMS authentication is considered a weaker form of authentication since the OTP can be intercepted. As a result, the National Institute of Standards and Technology listed SMS authentication as “restricted” in their latest guidelines. To truly enhance the security of accounts, FIDO delivers strong, standards-based authentication leveraging Public Key Cryptography (PKI) where a private and public key pair is generated for every account or service the customer logs on to.
Under the GDPR, organizations must capture consent for the personal data they gather and need to be able to prove they received that consent. Further, any individual has the right to rectification of their personal details as well as the right to be removed from an organization’s database. Transparency is a key component. With regards to individual rights and data consent, again FIDO authentication provides an answer. In order for individuals to make requests about their personal data, it is required that a business verifies the identity of the individual making that request to ensure the request is authentic.
In addition, any organization evaluating consent mechanisms to comply with the GDPR should look at electronic signatures, especially when handling high-risk data, such as personal financial information. E-Signatures provide an auditable and easy-to-use way to capture consent, comply with the active opt-in requirement, and demonstrate the details of how consent was obtained, including what was consented to, when, and by whom. The OneSpan Sign e-signature service, for example, integrates with and can connect to authentication systems such as FIDO-certified authenticators from OneSpan.
Biometric authentication is quickly gaining ground. For one, it’s very convenient to log on to any service using a fingerprint or face scan. Second, it’s easy to leverage everyday devices for Touch ID and Face ID, for example. GDPR considers biometric data as sensitive information, and organizations must properly secure and manage this data.
FIDO is very focused on biometrics as it perfectly represents the notion of authentication made simple and convenient. The FIDO protocol is set up in such a way that there are no server-side secrets; therefore, biometrics data is never stored in a database. Biometrics are stored locally and never leave the device. By implementing FIDO, business avoid collecting, processing, and managing the data themselves.
So far we’ve been focusing on legislative matters, but what about user experience? Customer experience is a clear competitive differentiator and has a strong impact on customer loyalty.
FIDO was created with the user in mind, while at the same time eliminating the weakest link in the security chain: users themselves. Passwordless authentication makes authentication easy, whether that’s through biometrics on mobile devices or a hardware FIDO2 token. FIDO improves and simplifies the customer experience by minimizing inconvenience while maximizing security.
Visit our FIDO authentication page to learn more about FIDO for passwordless login and using FIDO to meet GDPR compliance requirements.