FOR DATA PROTECTION OFFICERS
Build services that comply to the GDPR and other privacy oriented laws and regulations
Privacy by Design is not a zero sum effort. Companies and services that take privacy to their heart will acquire the trust of their customers. With a good trust relationship comes improved revenue and customer acquisition.
The European General Data Protection Regulation (GDPR) is one of the biggest pushes towards Privacy by Design thinking. The new regulation that comes into effect in 2018 is drawing new lines on how to treat personal information on a global scale as companies that handle personal data of EU citizens must comply to this regulation as well.
Identity and Access Management (IAM) is one of the tools a data protection officer (DPO) should be familiar with. IAM solutions like Ubisecure Identity Server can help DPOs build services that comply to the GDPR and other privacy oriented laws and regulations.
The end user ability to control information that a service collects and stores is at the heart of the privacy. If your online services are collecting information about the users, you should also let them control, verify and modify that information. Ubisecure Identity Platform offers extensive self-service interfaces where end users can easily access their information from a single place. The Identity Platform can be connected to several identity repositories you might have and present this information in a centralized way.
It is worth noting that the nature of identity and access management is to centralize the control of both authentication and the management of identity attributes. This centralized approach will help you comply to the requirements created by privacy oriented laws.
Need to know and Consent
The concept of Need to Know is well depicted in Hollywood films. This is now a requirement in e.g. GDPR. Extensive collection of personal data should be avoided, but it also applies to personal data your services might send out. Ubisecure Identity Platform and the easy to manage centralized authorization policies can make sure that you send only the minimum required set of identity attributes to online services, internally or externally.
One of the trickiest demands put forward by the GDPR is Active Consent. The users should be able to give active and informed consent on how their personal data is handled. They should also have the ability to manage those consents. IAM solutions such as the Ubisecure Identity Platform have built-in capabilities to manage consent. If you try to build consent management to each application separately you might soon find yourself in a tangle of mismatching processes and the inability to let your customers manage their consents they’ve given.
The GDPR requires that companies should allow their end users to easily switch service providers. They should be able collect their data and transfer the account information to another service. If your organization is using separate identity silos or repositories to store user information, complying to this demand can be difficult. Ubisecure Identity Platform and the centralized approach in handling identity attribute data can help organizations achieve this task.
Right for Erasure
Previously known as “Right to be forgotten” is again a GDPR requirement. If you have more than one service and identity repository for your customers it might be difficult to be absolutely certain you have erased all of their data. If the services are not connected in any way and the user requests for erasure in service A, the request might never reach service B or C and you might face non-compliance. Identity and access management solutions and their tendency to centralize the handling of identities make it easier to erase personal data should a request come from the end user.