How IBM Supports Clients around GDPR and Cybersecurity Legislation
UXPSystems_whitepaper_Privacy_Nov182016
1. USER MANAGED PRIVACY & THE GDPR
User Lifecycle Management for
User Managed Privacy
UXP Systems’ Whitepaper | November 2016
2. UXP SYSTEMS’ WHITEPAPER | User Managed Privacy & the GDPR POWERING THE DIGITAL USER LIFECYCLE | Pg 2
USER MANAGED PRIVACY & THE GDPR
User Lifecycle Management for User Managed Privacy
Introduction
In the era of the digital user, we have become accustomed to using mobile devices,
usernames and biometrics to identify ourselves and access digital services. With
every interaction, we leave digital popcorn trails of our activities, preferences and
behaviours. Behind the curtains of every app or portal are systems that identify who
we are and what we do online. This data is used to deliver services, enrich user
experiences and drive monetization.
Personalization in the digital age has come at the great expense of our privacy.
To restore order between the competing mandates of personalization and privacy, the
EU has introduced the General Data Protection Regulation (GDPR). By 2018, any
enterprise doing business in the EU must comply with it.
I. THE PRIVACY IMPERATIVE
Why Privacy Matters Now
Data: Subjects, Controllers, Processors
Distilled to its basics, the GDPR defines an interlocked chain of three entities working
in concert to put users back in control of their personal data: Data Subjects, Data
Controllers and Data Processors.
Enterprises (Data Controllers) must re-stitch their fragmented systems and processes
to ensure that individuals (Data Subjects) can create consent-based relationships to
govern the use of their personal data in downstream systems (Data Processors). The
complexity in this kind of user-centric paradigm is immense. First, its scope will cross
a wide breadth of systems. Firms that cannot aggregate, unify, explain and expose
personal data to their end users will fail to achieve compliance. Perhaps more
importantly, GDPR proposes a paradigm change, where enterprises must operate
from the end-user in, as opposed to back-office out.
3. POWERING TH DIGITAL USER LIFECYCLE | Pg 3
USER MANAGED PRIVACY & THE GDPR
User Lifecycle Management for User Managed Privacy
Data Subjects: Focusing on the User
At the heart of the GDPR is the mandate that every user of a service be put in control
of their own data. This objective in itself presents a challenge to enterprises that may
lack a homogenous model to manage their many users, or Data Subjects.
For instance, take the telecoms operator who provides wireless service to a
household. A Data Subject is a customer paying a bill. Data Subjects also include
individual adults and children who have wireless devices under the master bill. The
addition of a TV service would make the collective household an additional data
subject; digitally empowering these often overlapping subjects in a simple manner
could become exceedingly complex.
Before any thought of marrying Data Subjects to Data Controllers and Data
Processors, enterprises need to re-visit their identity management systems, ensuring
they have robust data models and processes to effectively create and manage a
single and seamless digital relationship with every one of their Data Subjects.
Data Controllers: The Privacy Control Point
Enterprises often need data as a pre-condition to service delivery. A bank may require
a date of birth for credit checks and online shops need delivery addresses. The
GDPR won’t interrupt these requirements, but will place emphasis on ensuring the
purpose of data collection is clearly understood, as is the retention policy of the data.
For those opportunistic about the discretionary use of personal data; however, be
forewarned: with opportunity comes responsibility. Any data that is used for
marketing purposes, by enterprises, or by 3rd parties with whom data is shared will
be subject to explicit consent.
Those looking to own user relationships and manage personal data should embrace
the concept of a privacy control point. This allows acting as an intermediary between
a user and the systems and (potentially) third parties holding data. Managing digital
identity and associated privacy may well become a strategic service unto itself.
UXP SYSTEMS’ WHITEPAPER | User Managed Privacy & the GDPR
Figure 1:The Interlock Between Data Subjects, Controllers & Processors
Those enterprises creating trusted privacy control points
could become the engines of the next generation data-driven
economy
FOLLOWING
THE DATA TRAIL
DATA SUBJECTS
DATA CONTROLLERS
DATA PROCESSORS
Every user shall have
the ability to easily
view and govern
access to all of their
personal data
Enterprises must notify
users of personal data
needs and gain consent
on data use
Systems holding data
must enforce the privacy
and consent contract
between the end user &
enterprise
Enterprises must ensure that end users can
govern access to data across legacy and
new systems.
4. Figure 2: Controllers will need an SDK to push/pull privacy to processors
PUSH
PULL
DATA
SUBJECTS
Privacy Dashboard
DATA CONTROLLER
(Privacy Control Point)
Data Processors that cannot query
the privacy control point will have
consent pushed
Data Processors that can query the privacy
control point can verify consent
DATA PROCESSOR
SYSTEMS
DATA PROCESSOR
SYSTEMS
@
@
POWERING THE DIGITAL USER LIFECYCLE | Pg 4
USER MANAGED PRIVACY & THE GDPR
User Lifecycle Management for User Managed Privacy
Data Processors: Enforcing the User’s Consent
The domain of Data Processors is likely to overwhelm existing and
complex businesses. Enterprises have personal data resident in many
systems that were developed with no consideration of end user control.
Generating a singular view of data from system silos will most certainly
require a data federation layer at the privacy control point.
Perhaps even more constraining in downstream data processor systems
is the lack of ability to enforce an end user’s data preferences. A Data
Subject who wants to use a privacy dashboard to suspend the use of
their personal data in a campaign management system may be able to
initiate the request from a simple web interface. What is less clear as
enterprises move towards a privacy management solution is whether or
not the downstream Data Processor can accept an act on that request. In
essence - if not properly designed- the holistic privacy management
solution may be rendered ineffective due to the constraint of Data
Processor capabilities (Figure 2).
This drives an important architectural consideration for any privacy control
point. The intermediary system implemented by a data controller to
empower user’s privacy must be able to abstract and communicate with
downstream systems via a flexible SDK in order to minimize
customizations needed at data processor end points.
UXP SYSTEMS’ WHITEPAPER | User Managed Privacy & the GDPR
5. Figure 3:The GDPR Will Result in Privacy Dashboards for Everyone
POWERING THE DIGITAL USER LIFECYCLE | Pg 5
USER MANAGED PRIVACY & THE GDPR
User Lifecycle Management for User Managed Privacy
Privacy Perks: Erasure, Dashboards, COBO
The European Union has ensured the GDPR’s definition is not limited to a
technical-only scope. To properly serve the residents of the EU, the GDPR has added
some important user-centric requirements.
1. Erasure: Also known as the “Right to Be Forgotten”, erasure is the user’s
ability to request the deletion of all data not subject to legal retention. To
implement erasure, privacy control point systems must uniformly delete
data in multiple systems based on one request.
2. Dashboards: While not explicitly calling out the requirement for a privacy
dashboard, this is the essence of the GDPR. The only way to give users
easy access to, and control of their data, is to provide a privacy dashboard
for every individual (Figure 3).
3.Consent on Behalf of (COBO): As younger citizens are coming on line
earlier and more prolifically than ever, the GDPR has implemented the
specific requirement for parents to consent and control data on behalf of
minor children.
The Importance of the User Experience
The GDPR makes no requirement or specification of user interface or experience,
other than to suggest the simplicity and ease of personal data control. Nonetheless,
these are critical elements of implementation if the GDPR is to be seen as a success
in the eyes of the EU citizen.
If users are to feel completely in control, then they must believe they can easily
engage with data controllers in creating and managing their digital identities and
associated data. Users must also feel a sense of comfort and trust in engaging with
enterprises that wish to leverage personal data.
The success of the GDPR relies on a holistic solution; one that can manage the
privacy lifecycle of the end user and management of the data that is produced by the
services they consume.
Time is of the essence. A packaged solution that delivers the processes, platform
and user interfaces needed to represent the best interests of EU citizens will ensure
the success of the GDPR. In turn, it will allow enterprises to personalize and monetize
user data in new ways.
UXP SYSTEMS’ WHITEPAPER | User Managed Privacy & the GDPR
Go
HELLO, JIMMaple Voice Maple TV Maple HomeMy Maple
my maple
My Privacy
How we Use Information
LANGUAGEMAPLE HOME ACCOUNT
PRIVACY GENERAL
YOUR PROFILE
YOUR ACCOUNTS & SERVICES
Secure Your Profile
Children on Your Account
Broadbad Turbo Excell
Home Phone 416-666-6666
About Your Privacy
Wireless 416-555-5555
ACCOUNT ABC1234567890-HJK
Now, here you can control how your personal info and activity is
being used by individual services Maple and it’s partners
provide to you.
SORT BY SERVICE SORT BY USER INFO
Wireless
416 - 555 - 5555
User name
Email
Family Group
Sharing
Service Subscriptions
Devices
Web & Mobile App Activity
Jim
jimmackiedie@gmail.com
Jim, Maureen, Ben, Katie, Maddie
10
12
5
Your behaviour history
PURPOSE
PURPOSE
PURPOSE
PURPOSE
PURPOSE
PURPOSE
PURPOSE
MY PROFILEMY ACCOUNTS NOTIFICATIONSMY PRIVACY MORE ...
3
6. Figure 4: Capturing Every User Interaction to Personalize the Experience
POWERING THE DIGITAL USER LIFECYCLE | Pg 6
USER MANAGED PRIVACY & THE GDPR
User Lifecycle Management for User Managed Privacy
The Challenge: New Enablers & Old Systems
The GDPR hits established enterprises at a time when they are already embracing or
contemplating responses to digital disruption.
The need to build trusted digital relationships where every user can self-manage their
privacy consent and settings is another call to action to engage every digital user
(Figure 4). User privacy is an extension of a user-driven digital world.
UXP SYSTEMS’ WHITEPAPER | User Managed Privacy & the GDPR
We remain in the age of the digital user.
Implementing user-driven privacy is an opportunity for any enterprise doing business
in the EU to be a trusted and credible controller of personal data. Those that
effectively capitalize upon the opportunity will be the digital leaders of tomorrow.
User
ENGAGEMENT
User
ACCESS
User
CONTROL
User
PRIVACY
User
PERSONALIZATION
7. UXP SYSTEMS’ WHITEPAPER | User Managed Privacy & the GDPR POWERING THE DIGITAL USER LIFECYCLE | Pg 7
USER MANAGED PRIVACY & THE GDPR
User Lifecycle Management for User Managed Privacy
II. ENABLING USER MANAGED PRIVACY
User Lifecycle Management: An Elegant Solution for GDPR Compliance
Introduction
Implementing a solution to GDPR compliance shouldn’t create the same disruption that a
lack of compliance is bound to bring. To that end; solutions that overlay the underlying
constraints and complexities of legacy systems must be considered. In the end, the right
overlay will bring time to market, robust capability and cost efficiencies not possible with
back end customizations and bespoke software development. Existing identity
management systems must be enhanced with new capabilities supporting digital
households and their end users, with role management for consent of minors. New
user-centric models should federate disaggregated and disparate personal data from
processor systems must converge at a new and purpose-built layer. Finally,
communication between Data Controllers and the many downstream processors must be
done by a single and extensible orchestration gateway that pre-empts customization to
legacy systems (Figure 5).
Figure 5: The Stages of Managing the User Lifecycle
Manage Onboard
Group Authorize
Personalize
Capture Authenticate
EntitleShare
Unify
8. Figure 6: User managed privacy dashboard
POWERING THE DIGITAL USER LIFECYCLE | Pg 8
USER MANAGED PRIVACY & THE GDPR
User Lifecycle Management for User Managed Privacy
Managing the User’s Privacy Lifecycle
UXP Systems’ User Lifecycle Management enables a full privacy lifecycle for
individuals by starting with the end user in mind, and implementing new capabilities
for these users to create and manage trusted, flexible and empowered relationships
with data controller enterprises. By managing the full lifecycle of users, households
and groups, ULM goes beyond constrained customer systems to enable
relationships with every individual.
Normalizing Personal Data & Presenting a Unified Dashboard
The User Lifecycle Management (ULM) platform innovates above legacy systems to
abstract and federate personal data held in multiple downstream Data Processor
systems to derive one singular dashboard for every individual Data Subject. By
layering a flexible, user-centric data model above underlying systems, ULM enables
the Privacy Control Point architecture so critical to effectively enforce privacy
agreements between users and enterprises.
Recognizing that a Data Subject may be represented by various aliases, the ULM
data model is extensible to reflect the many ways in which a subject may be stored
by an enterprise, including:
Individual, represented by a username or e-mail address
Customer, represented by a household address or account number
Device, represented by a phone number or device ID
Minor, represented by their consenting guardian
UXP SYSTEMS’ WHITEPAPER | User Managed Privacy & the GDPR
UXP Systems’ User Lifecycle Management privacy module further implements
an out of the box and configurable privacy dashboard that encompasses the
key elements of the GDPR, including:
Purpose: to ensure every data element has a configurable field to
explain the necessity (or lack thereof) and use of data collected
Consent: to enable end users to grant or revoke – in real time – the
right for enterprises to collect and use discretionary personal data
Erasure: to permit the allowable deletion of personal historical data
Transfer: to govern the use of collected data by 3rd parties.
Go
HELLO, JIMMaple Voice Maple TV Maple HomeMy Maple
my maple
My Privacy
PRIVACY GENERAL
LANGUAGEMAPLE HOME ACCOUNT
Privacy Policy
There are many diferent ways you can use our services - to search for an dshare information
to communicate with other people or to create new content. When you share information with
us, for example by creating a Maple ID, we ca make those sercies even better - to show you
more relevant search results and ads, to help you connect with people or to make sharing with
others quicker and easier. As you use our services, we want you to be clear how we’re using
infomration and thew ays in which you can protect your privacy.
Our Privacy Policy explains:
- What information we collect and why we collect it
- How we use that information
- The choices we offer, including how to access and update information.
There are many diferent ways you can use our services - to search for an dshare information
to communicate with other people or to create new content. When you share information with
us, for example by creating a Maple ID, we ca make those sercies even better - to show you
more relevant search results and ads, to help you connect with people or to make sharing with
others quicker and easier. As you use our services, we want you to be clear how we’re using
infomration and thew ays in which you can protect your privacy.
Our Privacy Policy explains:
- What information we collect and why we collect it
- How we use that information
- The choices we offer, including how to access and update information.
There are many diferent ways you can use our services - to search for an dshare information
to communicate with other people or to create new content. When you share information with
us, for example by creating a Maple ID, we ca make those sercies even better - to show you
more relevant search results and ads, to help you connect with people or to make sharing with
others quicker and easier. As you use our services, we want you to be clear how we’re using
infomration and thew ays in which you can protect your privacy.
Our Privacy Policy explains:
- What information we collect and why we collect it
- How we use that information
- The choices we offer, including how to access and update information.
MY PROFILEMY ACCOUNTS NOTIFICATIONSMY PRIVACY MORE ...
3
How we Use Information
PRIVACY GENERAL
YOUR PROFILE
YOUR ACCOUNTS & SERVICES
Secure Your Profile
Children on Your Account
Broadbad 100G Fast Starter
Home Phone 416-666-6666
About Your Privacy
Wireless 416-555-5555
How we Use Information
PRIVACY GENERAL
YOUR PROFILE
YOUR ACCOUNTS & SERVICES
Secure Your Profile
Children on Your Account
Broadbad 100G Fast Starter
Home Phone 416-666-6666
About Your Privacy
Wireless 416-555-5555
9. POWERING THE DIGITAL USER LIFECYCLE | Pg 9
USER MANAGED PRIVACY & THE GDPR
User Lifecycle Management for User Managed Privacy
UXP SYSTEMS’ WHITEPAPER | User Managed Privacy & the GDPR
The UXP Systems’ ULM Solution for User Managed Privacy
User Lifecycle Management combines a robust lifecycle management solution to
extend constrained identity models with a user-centric data model and dashboard to
enable GDPR compliance in a seamless overlay over legacy systems. Moreover, with
its innovative Service Gateway, it provides abstraction, normalization and
bi-directional communications to systems of record holding personal data. It is an out
of the box and pace-layer solution to a national imperative.
Figure 7:
Bridging the Gap Between Data
Subjects and Data Processors
About UXP Systems
UXP Systems is the leader and pioneer in User Lifecycle Management (ULM). Our
platform evolves digital identity, user entitlements and personalization to bring
traditional and emerging enterprises the capabilities to service every digital user,
seamlessly. ULM has been selected and implemented by some of the world’s largest
enterprise to ensure they remain relevant in a disrupting world; with user-centric
solutions covering User Managed Privacy, Digital Transformation, Digital and Cloud
Services, Seamless Entertainment and the Connected Home.
For more information, please contact info@uxpsystems.com
or visit www.uxpsystems.com/privacy
Onboard Authenticate Entitle Authorize Unify
Personalize Group Share Capture Manage
ULM PROCESS LIBRARY LAYER
ULM UXDR®
INSIGHT
ULMSERVICEGATEWAY
ULM CORE DATA MODEL & UTILITIES ULM IdP
Interceptor
Framework
PrivacyServiceApplicationModel
(DataAbstration&BusinessLogic)
Events
Framework
USER ENTITLEMENTS/CORE DATA MODEL
DATA SUBJECT DOMAIN
DATA PROCESSOR
DOMAIN
DATA CONTROLLER DOMAIN
Bidirectional
Messaging
Security, Reporting
& Administration
SAML/OIDC
Engine
Admin
Proxy
Data
Adapters
Data
Adapters
Data
Adapters
Data
Adapters
PRIVACY DASHBOARD
Dashboard - Consent Management User Relationship Management
Marketing & Offer
Management Apps
Customer Relationship
Management
Service
Management Apps
Partner Ecosystem