• gdpr and authentication | Secret Double Octopus

How GDPR Will Change the Face of Digital Authentication

The highly anticipated General Data Protection Regulations of the European Union (GDPR) will come into effect in a few short months.

The laws of GDPR represent a total paradigm shift in IT regulation. While other national and international legislation has focused on laying down specific rules for interacting with digital data, GDPR goes one step further by changing the relationship between enterprises and the personal information they collect and store.

GDPR is not just about compliance, it’s about liability.

According to the upcoming Regulations, when an organization is breached the legal responsibility falls on the company. Any failure to report the breach can lead to legal actions. This means enterprises are becoming “data custodians.” In the same way a bank is responsible for its client’s money and must account for it, companies securely hold their users data or face consequences.

How will GDPR change the standards of authentication?

While GDPR doesn’t mandate any particular authentication method, identity and access management requirements will be greatly increased due to GDPR.

How so?

On the whole, GDPR advances the model of “safety by design”, an approach to data management that requires secure practices at every level of an organization’s digital infrastructure.

To this end, the Regulations call for “data protection by design and by default” on the “technical and organisational” levels. Companies must have strict guidelines for interaction with sensitive information including the extent of their “processing and accessibility.”


Businesses are expected to adopt procedures by which access to personal data is always under adequate protection.

Enterprises will have to start considering what the security gaps are in their organizations and shore up the weakest points in their digital infrastructure. For many companies these weak points are their authentication methods, such as password based system. Simply put, the possibility for human error compromising passwords, through falling prey to phishing scams, hard copy loss, or other forms of theft, opens up an enterprises to legal liabilities under GDPR.

The cost of enrolling better authentication

The GDPR gets the most attention for its eye-opening fine regime. Fail to be in compliance with the law’s many regulations and components, and you can expect to pay fines as high as €25 million or four percent of your global worldwide revenue, whichever is greater.

With these high penalties looming overhead, companies are placed between a rock and a hard place. Adding layers to authentication hurt workflow by impeding usability, and require a learning curve for employees to get used to new protocols. Companies face having take on expensive, cumbersome tools, or risk severe penalties.

Going Passwordless

Passwordless authentication gives enterprises the best of all worlds.

By removing passwords from the equation, companies achieve an all around higher level of security for their most sensitive data. At the same time, passwordless tools streamline workflow with easy-to-use, seamless access for authorized users.

The Answer to your Data Risk Assessment

The benefits of secure authentication don’t stop there.

Implementing efficient authentication tools will help an organization lower there overall data assessment, a key component of GDPR compliance. GDPR lacks clear guidelines to the level of security for all data types, (personal, generic, medical). At the same time, it demands companies assess the sensitivity level of all stored data based on the potential damage of a breach, and apply protection measures accordingly. For data handlers engaged in high-risk related activities with sensitive data, GDPR requires in many cases for organizations to consult with a data protection authority and conduct a detailed privacy impact assessment. Low results on these assessments due can result in prohibitions on company activities deemed threatening to personnel data.  Companies internationally have already begun to undergo assessments to insure their operations are in line with GDPR. According to a Brodies business survey from respondents “who were aware of GDPR, a majority had completed an audit.”

Even for activities not labelled “high risk”, controllers still must adopt measures that are appropriate to the risk level. For example, companies are required to ensure a level of data security “appropriate to the risk” and implement appropriate measures.

Risk exposure under GDPR by holding on to sensitive data is no joke. IT executives across the industry are scrambling to find solutions to this very serious problem. According to a recent survey by PwC  54 percent of respondents said “they plan to de-identify European personal data to reduce exposure.”

The personal phone as an authentication device

The Octopus Authenticator simplifies authentication by harnessing users’ personal phones as a security token. By implementing mobile authentication for your users, the costs of secure authentication are lowered exponentially, as no additional device is required.

Achieving Compliance

GDPR is coming.

Compliance with the new regulations do not have to be detrimental for an organization.

The authentication tools of Secret Double Octopus allow an organization to achieve the highest level of authentication security, while keeping costs low, simplifying the transition to a new platform, and ensuring seamless user experience.




About the Author:

Samuel studied intelligence research at the American Military University in West Virginia. Upon completing his studies he served in the IDF Corp of Combat Engineering Intelligence Wing in addition other roles in the Corps' units. Today he works as a researcher on global security threats in the fields of technology and cyber.