Identity, Compliance Management, Privacy

Identity auditing: How to be a good steward of customer data and privacy rights

A thumbprint is projected onto a man. (Photo by Leon Neal/Getty Images)

Strict handling of customer data has become more necessary in recent years, thanks to the enactment of strong privacy laws like the GDPR and CCPA, and even more regulations along these lines are due to take effect in 2023.

Now is the time for your organization to make sure its customer-data collection, retention and policies are in compliance with privacy rules and regulations. Here's why and how to conduct an identity audit, and how customer identity and access management (CIAM) solutions can help.

Requirements of privacy laws and regulations

"The days of treating a customer as a static account-and-password combination are long gone," says an unpublished white paper prepared by Ping Identity. "The need to manage the rights, privileges, entitlements, grants, and consents over the entire lifetime of a customer's relationship with your brand is clearly upon us."

Nowhere is this more true than in Europe, where the General Data Protection Regulation (GDPR) is mandatory in the 27 member states of the European Union plus the United Kingdom, Norway, Iceland and Liechtenstein.

The GDPR applies to organizations with customers in any of the signatory countries, regardless of physical presence. If your company sells goods or services, registers users, or even just assigns browser cookies to persons in western or central Europe, it needs to comply with the GDPR.

The law states that all consumers must be told whether personal information will be collected and how it will be used, and lets consumers opt out of data collection. It also lets consumers request or directly make changes to their stored data, including correcting it, deleting it altogether or retrieving it in machine-readable form for transfer to another service.

"All of the organization's plans and policies — e.g., data protection plan, BOYD policy, incident response plan and business continuity plan — must conform to the GDPR norms," wrote Dimitar Kostadinov of the Infosec Institute in a 2018 blog post.

Most importantly, organizations must document their compliance with the GDPR, necessitating regular privacy and identity audits. Steep fines can be levied on companies that do not comply, with the harshest possible penalty being €20 million ($20.4 million) or 4% of worldwide revenue, whichever is greater.

Tiny Luxembourg fined Amazon €746 million ($762 million) for compliance violations in 2021, the biggest GDPR penalty to date. Facebook and WhatsApp have together been fined at least €285 million ($291 million). Google and its subsidiaries have been fined at least €200 million ($204 million) by the French data-protection office.

On this side of the Atlantic, the California Consumer Privacy Act (CCPA) became law in 2020. It's less stringent than the GDPR, giving consumers fewer controls over their personal data and imposing smaller fines.

However, the California Privacy Rights Act (CPRA) supersedes the CCPA and goes into effect on Jan. 1, 2023. It gives consumers roughly the same powers as the GDPR, including the right to correct, delete or transfer personal information. Colorado, Connecticut, Utah and Virginia also have privacy laws similar to the CPRA that all go into effect in 2023.

Meanwhile, older customer-data laws and regulations must still be adhered to. The U.S has the Health Insurance Portability and Accountability Act (HIPAA) and the Children's Online Privacy Protection Act (COPPA), while Canada has the Personal Information Protection and Electronic Documents Act (PIPEDA). Organizations that take payments in credit cards must conform to the industry-standard Payment Card Industry Data Security Standard (PCI DSS).

How to conduct an identity audit

The best way to prove compliance with privacy laws is through identity auditing, which Oracle defines as "the systematic capture, analysis, and response to identity data across an enterprise to ensure compliance with internal and external policies and regulations."

Identity auditing's goals, Oracle says, include detection and remediation of compliance violations; identification of duplicate or conflicting accounts; feedback about the effectiveness of internal controls; preparation of comprehensive audit reports; and finally, certification of compliance.

Identity audits can be seen as an expansion of privacy audits, devised in the 2000s to comply with HIPAA and other existing data-protection laws. Today, in the wake of GDPR and CCPA, the terms are often used interchangeably, although identity audits can involve management of customer accounts, especially when combined with CIAM solutions.

"Privacy audits should be transparent and demonstrate that the organizations are doing what they claim, especially as customer information has evolved from being scarce to incredibly abundant," wrote Patrick Mallory of the Infosec Institute in 2019.

In order to carry out an identity audit, your organization must determine:

  • Exactly which data-privacy laws, regulations or frameworks must be complied with
  • How, why and what kinds of customer personal data is collected, processed and stored
  • How consumer data is protected, e.g. what kind of encryption is used both at rest and in transit
  • How consumer personal data flows within your organization, and whether it is shared with third parties
  • How customer-data collection, processing and storage is documented and logged
  • What kinds of consent a customer must provide for use of personal data
  • How personal data is disposed of when the user revokes consent or terminates an account
  • How employees are trained to handle customer personal data
  • What kind of mitigation is appropriate for any compliance violations

The audit can be done manually with questionnaires and spreadsheets, but this might take a long time. In an April 2021 blog post, Garret Grajek of YouAttest estimated that a manual audit might take half an hour per identity, adding up to a massive task when thousands of individual user accounts are involved.

How a CIAM solution can help

CIAM solutions provide automated platforms for managing customer identity and access for the websites and mobile apps of public-facing organizations, providing a smooth, seamless user experience while at the same time boosting security and privacy. Many CIAM solutions also provide identity proofing, which ties accounts to real persons, and are built to comply with the GDPR and CCPA.

However, CIAM providers are only now beginning to implement automated identity auditing into their platforms. Ping Identity calls this "one of the largest single technology and process gaps associated with customer experience and security."

Ideally, CIAM-driven identity auditing should highlight compliance violations and issues with customer accounts, combine multiple accounts held by the same person and provide auditors with the data they need. But we might have to wait a few years for such functions to become standard among CIAM solutions, despite their obvious necessity.

"We are rapidly moving to a world where there is no workforce identity, no customer identity, and no citizen identity," says the Ping white paper. "There is only a digital identity where those silos are collapsed into each other."

Paul Wagenseil

Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, and

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.