Skip to main content

Skillber v1.0 is here!

Learn more

GDPR & Privacy

Checking access...

The General Data Protection Regulation (GDPR) represents the most comprehensive data privacy regulation ever enacted. While SOX focuses on financial controls, GDPR focuses on the protection of personal data and the rights of data subjects — the individuals whose data is processed. IAM systems are both a controller of personal data (employee identity data) and a critical control for protecting the personal data processed by business applications.

GDPR Principles and IAM

Article 5 — Principles Relating to Processing of Personal Data

PrincipleIAM ImplicationImplementation
Lawfulness, fairness, transparencyData subjects must know how their identity data is processedPrivacy notice, consent collection for identity data uses
Purpose limitationIdentity data collected for IAM should not be repurposedData classification, purpose-based access controls
Data minimisationOnly collect minimum identity attributes neededMinimal attribute collection, attribute-level access controls
AccuracyIdentity data must be accurate and kept currentSelf-service profile updates, HRIS sync for authoritative data
Storage limitationIdentity data retained only as long as necessaryRetention policies, automated archival and deletion of stale identities
Integrity and confidentialityIdentity data protected against unauthorised accessRBAC for identity stores, PAM for directory admin, encryption of identity data at rest and in transit
AccountabilityOrganisation must demonstrate complianceAudit trails for identity and access management activities

Data Subject Rights

Article 15 — Right of Access (DSAR)

Data subjects have the right to obtain confirmation of whether their personal data is being processed and, if so, access to that data.

IAM DSAR workflow:

DSAR StepIAM ActionResponsibility
1. Submit requestReceive DSAR through portal or legal channelData Protection Officer (DPO)
2. Verify identityConfirm data subject identity to prevent unauthorised accessIAM team validates identity proof
3. Search identity dataQuery IAM systems, HR systems, access logs, and directories for personal data of the data subjectIAM system
4. Compile responseAssemble all personal data records, access history, and identity attributesIAM system + HR system
5. Review and redactReview compiled data for third-party information or legal exemptionsDPO / Legal
6. Deliver responseProvide response within 30 days (Article 12 — reasonable interval)DPO

Article 17 — Right to Erasure (Right to be Forgotten)

Data subjects can request deletion of their personal data when:

  • Data is no longer necessary for the original purpose
  • Consent is withdrawn
  • Data was unlawfully processed
  • Legal obligation requires erasure

IAM implications of erasure:

Identity Data ElementCan Be Deleted?Consideration
User accountYesCheck legal hold, archive before deletion
Access logsNo (security/compliance retention)Anonymise or pseudonymise; retain for legal hold
HR recordsNo (employment retention obligations)HR data retention supersedes, but restrict access
PAM session recordingsNo (security incident investigation)Anonymise references, retain for defined period
Audit trailNo (SOX/GDPR accountability)Retain with restricted access; do not delete even for erasure requests
Consent recordsNo (must document withdrawal)Retain consent withdrawal records

Info

The tension between the right to erasure and legal retention obligations is a common challenge. The solution is data classification: identity data that is no longer needed is deleted; audit-relevant data is retained but access is restricted; and records of the erasure request itself are kept permanently to prove compliance.

Other Data Subject Rights

RightArticleIAM Implementation
Right to rectificationArticle 16Self-service profile update, HRIS sync for corrections
Right to restrict processingArticle 18Access suspension, account disablement without deletion
Right to data portabilityArticle 20Export user identity and entitlement data in machine-readable format
Right to objectArticle 21Opt-out mechanisms for non-essential identity data processing
Automated individual decision-makingArticle 22Re-review automated access approval decisions

For identity data processing that relies on consent as the legal basis:

RequirementDescriptionIAM Implementation
Freely givenNo coercion, no negative consequences for refusalSeparate consent from employment terms
SpecificIndividual purposes clearly statedSeparate consent for each purpose
InformedClear language about what data, how used, retentionReadable privacy notice in plain language
UnambiguousClear affirmative action requiredNo pre-ticked boxes, active opt-in
WithdrawableAs easy to withdraw as to giveOne-click consent withdrawal
DocumentedRecord of consent maintainedConsent record with timestamp and version
User Onboarding ──> Consent Collection ──> Consent Record Store
┌─────────────────────┤
│ │
Processing based Periodic Consent
on consent terms Review / Refresh
│ │
Consent Withdrawal <────────┘
Restrict Processing
Retention or Deletion

Breach Notification

Article 33 — Notification to Supervisory Authority

  • Required within 72 hours of becoming aware of a personal data breach
  • Notification must include: nature of breach, categories of data subjects, approximate number of records, DPO contact, likely consequences, measures taken

Article 34 — Communication to Data Subjects

  • Required when the breach is likely to result in high risk to data subjects
  • Must describe breach nature, DPO contact, likely consequences, and recommended mitigation measures

IAM’s Role in Breach Response

Breach Response PhaseIAM ActionTimeframe
DetectionAccess anomaly detection, privilege misuse alerting, log correlationReal-time
ContainmentAccount suspension, credential rotation, access revocationMinutes
InvestigationUser attribution, access reconstruction, session recording reviewHours
NotificationIdentify affected data subjects from identity records72 hours
RemediationPolicy update, control enhancement, additional PAM controlsDays to weeks
Post-mortemAccess control review, policy improvementWeeks

Records of Processing Activities (Article 30)

Organisations with 250+ employees must maintain records of processing activities — including IAM-related processing:

Record FieldIAM-Specific Content
Controller/processorIdentity and contact details of each entity
Purposes of processingAccess management, identity verification, authentication, authorisation, audit
Categories of data subjectsEmployees, contractors, partners, customers
Categories of personal dataIdentity attributes (name, email, title, department, manager), authentication factors, access entitlements, access patterns
RecipientsApplication owners, system administrators, auditors, SIEM systems
International transfersIdentity data transfer to other regions/subsidiaries
Retention periodsActive account: employment duration; audit logs: defined retention period; archived accounts: defined period
Technical/organisational measuresAccess control, MFA, encryption, logging, monitoring, PAM, IGA controls

Privacy by Design in IAM

Article 25 — Data Protection by Design and Default

PrincipleIAM Implementation
Data minimisationMinimal identity attributes, role-mining for least privilege, attribute-level access restriction
Purpose limitationAttribute release policies based on application need-to-know
Storage limitationAutomated archival of inactive accounts, deletion after defined period
Access controlRBAC/ABAC, MFA, JIT privileged access, attribute-based release
TransparencyUser access self-service, privacy dashboards, consent management
SecurityEncryption, audit logging, anomaly detection, session recording

GDPR Fines and Penalties

Violation CategoryMaximum FineExamples from IAM Context
Lower tier (Art. 83(4))€10M or 2% of global revenueFailure to maintain records of processing, failure to notify breach to data subjects
Upper tier (Art. 83(5))€20M or 4% of global revenueProcessing without legal basis, failure to implement data subject rights, inadequate security measures
ReputationalBrand damage, customer lossPublic enforcement actions, litigation, media coverage

Key Takeaways

  • GDPR gives individuals (data subjects) eight rights over their personal data — IAM systems must support the right of access (DSARs), right to erasure (data deletion with retention exceptions), right to rectification, and right to data portability
  • Consent management requires valid consent to be freely given, specific, informed, unambiguous, and easily withdrawn — IAM must document consent records with timestamps and version tracking
  • Breach notification requires notification to authorities within 72 hours — IAM’s role spans detection, containment (account suspension, credential rotation), investigation (user attribution, session review), and affected-subject identification
  • The right to erasure creates a specific challenge: PII must be deleted, but security/audit logs and consent records must be retained to demonstrate compliance
  • Article 30 requires records of IAM processing activities — data subjects, categories, retention periods, international transfers, and security measures
  • Privacy by design (Article 25) requires data minimisation in identity data collection, purpose-based attribute release, and automated lifecycle management
  • IAM systems are both data controllers (of employee identity data) and data processors (for customer identity data in CIAM deployments)