Apr 11, 2018 2:04:16 PM
GDPR: Digital Certificates and PII

The General Data Protection Regulation (GDPR) is here.  Enforceable effective May 25, 2018, the GDPR aims to address data protection and privacy rights for citizens of the European Union.  GDPR addresses two primary areas of concern for most organizations:

 

  • How to identify all data that contains Personally Identifiable Information (PII)
  • How to track what data may have been exposed in a breach

GDPR further identifies two types of PII.  Direct PII, that is data element typically identified as PII like name, address, etc., and indirect PII, or those things that can be used to indirectly identify a user such as machine names, IP address, etc.

Many organizations issue digital certificates to identify users for authentication and authorization purposes. These certificates include information identified as direct PII by GDPR.  Organizations also often issue certificates to devices for access to networks or remote management, and those certificates contain indirect PII that usually tie a user to a device.

As a result, digital certificates issued to users and devices become subject to GDPR and therefore require the same care, attention, and insight as other information stored about users and customers.   

A digital user certificate contains PII and can be used for any number of purposes, among the most sensitive of which include:

  • legally-binding document signing
  • encryption of confidential data
  • authentication to secured systems

In addition to the apparent need for well-controlled provisioning processes around digital user certificates, organizations need to be able to clearly identify, report on, and if requested, revoke and delete them.

The ability to centrally manage digital user certificates throughout their entire lifecycle is possible with CSS' CMS Digital Certificate and PKI Operations Management Platform. In this example, we are working with certificates issued to a specific subset of users in a directory, whose accounts are in an organizational unit with country-specific attributes; in this case, France.  With an EU-specific certificate collection defined in CMS console, users can get an instant view of the certificates in their environment that fall under the scope of GDPR.

 GDPR_PKI1

 

Adding this collection to the CMS dashboard in the defined certificate search (shown above) provides immediate GDPR-scoped certificate visibility to CMS console users.

 GDPR_PKI2

As shown above, in the "EU User Certificates” collection view, the certificates meeting the specified search criteria are shown with options for updates, revocations, and deletions, either for single certificates, multiple certificates, or all certificates.  Also available is the option to download the resultant dataset for analysis in other tools.

This blog has covered only one example of GDPR governance concerning your enterprise Public Key Infrastructure (PKI).  CSS can work with you in a CMS Enterprise™ (on-premise or cloud digital certificate and PKI management platform) or a CMS Sapphire™ (enterprise PKI Managed Service) model to ensure that digital certificate subscribers are privy to the protections afforded them by GDPR, as well as helping to demonstrate compliance for your enterprise.

Speak with a GDPR Enterprise PKI Specialist