GDPR and Customer IAM
For Data Protection Officers to build services that comply to the GDPR and other privacy oriented laws and regulations
The European General Data Protection Regulation (GDPR) is one of the biggest pushes towards Privacy by Design thinking. The new regulation that comes into effect in 2018 is drawing new lines on how to treat personal information on a global scale as companies that handle personal data of EU citizens must comply to this regulation as well.
Privacy by Design is not a zero sum effort. Companies and services that take privacy to their heart will acquire the trust of their customers. With a good trust relationship comes improved revenue and customer acquisition.
Customer Identity and Access Management (IAM) is one of the tools a data protection officer (DPO) should be familiar with. CIAM solutions like Ubisecure Identity Server can help DPOs build services that comply to the GDPR consent management and other privacy oriented laws and regulations.
The end user ability to control information that a service collects and stores is at the heart of the privacy. If your online services are collecting information about the users, you should also let them control, verify and modify that information. Ubisecure Identity Platform offers extensive self-service interfaces where end users can easily access their information from a single place. The Identity Platform can be connected to several identity repositories you might have and present this information in a centralised way.
It is worth noting that the nature of identity and access management is to centralise the control of both authentication and the management of identity attributes. This centralised approach will help you comply to the requirements created by privacy oriented laws.
Need to know and Consent
The concept of Need to Know is well depicted in Hollywood films. This is now a requirement in e.g. GDPR. Extensive collection of personal data should be avoided, but it also applies to personal data your services might send out. Ubisecure Identity Platform and the easy to manage centralised authorisation policies can make sure that you send only the minimum required set of identity attributes to online services, internally or externally.
One of the trickiest demands put forward by the GDPR is Active Consent. The users should be able to give active and informed consent on how their personal data is handled. They should also have the ability to manage those consents. IAM solutions such as the Ubisecure Identity Platform have built-in capabilities to manage consent. If you try to build consent management to each application separately you might soon find yourself in a tangle of mismatching processes and the inability to let your customers manage their consents they have given.
The GDPR requires that companies should allow their end users to easily switch service providers. They should be able collect their data and transfer the account information to another service. If your organisation is using separate identity silos or repositories to store user information, complying to this demand can be difficult. Ubisecure Identity Platform and the centralised approach in handling identity attribute data can help organisations achieve this task.
Right for Erasure
Previously known as “Right to be forgotten” is again a GDPR requirement. If you have more than one service and identity repository for your customers it might be difficult to be absolutely certain you have erased all of their data. If the services are not connected in any way and the user requests for erasure in service A, the request might never reach service B or C and you might face non-compliance. Identity and access management solutions and their tendency to centralize the handling of identities make it easier to erase personal data should a request come from the end user.