GDPR is coming in Hot. Top Burning Questions Answered to Help You Keep Your Cool.

© 2017 ForgeRock. All rights reserved.
GDPR Is Coming In Hot: Top Burning Questions
Answered To Help You Keep Your Cool
Eve Maler @xmlgrrl
VP Innovation & Emerging Technology,
ForgeRock
Sean Doherty @SeanD0herty
Analyst, Workforce Productivity &
Compliance Channel, 451 Research
July 25, 2017

Eve Maler @xmlgrrl
VP Innovation & Emerging Technology,
ForgeRock
Sean Doherty @SeanD0herty
Analyst, Workforce Productivity &
Compliance Channel, 451 Research

451 Research is an information
technology research & advisory company
Founded in 2000
300+ employees, including over 100 analysts
1,000+ clients: Technology & Service providers, corporate
advisory, finance, professional services, and IT decision makers
50,000+ senior IT professionals in our research community
Over 52 million data points each quarter
4,500+ reports published each year covering 2,000+
innovative technology & service providers
451 Research and its sister company Uptime Institute
comprise the two divisions of The 451 Group
Headquartered in New York City with offices in London,
Boston, San Francisco, Washington D.C., Mexico, Costa Rica, Brazil, Spain,
U.A.E., Russia, Taiwan, Singapore, and Malaysia
Research & Data
Advisory Services
Events

GDPR: when and where?
• Effective and enforced on May 25, 2018, replacing the 1998 Data Protection Directive (95/46/EC).
• The regulation requires member countries to follow and enforce the GDPR without passing local legislation.
• The regulation applies to:
1. The processing of personal data from the activities of an establishment of a controller or processor in the EU;
or
2. A controller or processor not established in the EU, where personal data collection and processing is related to
the offering of goods or services to data subjects in the EU or the processing monitors data subjects behavior
in the EU.

GDPR definitions
Personal data means any information relating to an identifiable natural person (data subject), i.e., one that can be
identified, directly or indirectly, from a name, identification number, location data, online identifier or other factors
specific to physical, genetic, economic, or social identity of the data subject. Art. 4(1).
Processing means any operation performed on personal data, such as collection, recording, organizing, and storing.
Art. 4(2).
A controller is a person or organization that determines the purposes and means of processing personal data. Art.
4(7).
A processor is a person or organization that processes personal data on behalf of a controller. Art. 4(8).
5

GDPR effect: not a butterfly but a bee
Violations of the GDPR can cost up to €20m in fines or up to 4% of a controller’s or processor’s previous year’s
worldwide revenue.
Requires data controllers and processors to hire a data protection officer for
regular and systematic monitoring of data subjects on a large scale.
Mandatory data breach notifications to data subjects within 72 hours of the breach.
Gives EU residents more control of their personal data
• Prohibit data processing beyond its specified purpose.
• The right to correct (rectify) and delete (erasure) or be forgotten.
• Withdraw consent to data processing.
Data subjects and nonprofit organizations on behalf of data subjects can bring actions directly against data
controllers and processors for GDPR violations.
6
© Teguh Mujiono

The EU General Data Protection
Regulation: It’s different this time
• Firm deadline, big penalties, high
aspirations…and viral
• “Data protection” encompasses a wide variety
of data transparency and data control
requirements

https://www.flickr.com/photos/adpowers/16808090/ | CC BY 2.0
Take steps
Identify intersections
between digital transformation
opportunities and user trust risks
Conceive of personal data as a joint
asset
Lean in to consent
Take advantage of identity and
access management for building
trust

We asked what you wanted to know –
and you let us have it
https://www.flickr.com/photos/infomastern/11459954985/ | CC BY-SA 2.0

My company interacts with end-users directly and holds
user account data. When sending such data from
Australia to, say, the US, what regulation applies:
Australia, US, EU...?
Q1

What is the relation of Privacy Shield to GDPR?
Q2

Does GDPR require that I store data
about my customers in the country it
was collected in?
How does it work in the ForgeRock
Identity Platform to store identity
profile data within a specific region?
Q3b
Q3a

The ForgeRock Identity Platform
DIRECTORY SERVICES
ACCESS MANAGEMENT IDENTITY MANAGEMENT IDENTITY GATEWAYCOMMON SERVICES
IDM IG
DS
AM
Authentication Authorization Provisioning Reconciliation Authentication OIDC/OAuth
Federation
Adaptive Risk
Stateless &
Stateful
UMA Provider Mobile App
User Self Service
Workflow
Engine
Registration
Single View of
Customer
Synchronization
Password
Management
Password
Replay
SAML
Token
Transformation
UMA
Protector
API Security Throttling
Common Scripting
Common
Audit/Logging
Common User
Interface
Common REST API
LDAPv3
Replication
REST/JSON
Access
Control
Schema
Management
Caching
Auditing
Monitoring
Groups
Password
Policy
AD Pass
Through
Reporting
CS

Data sovereignty and fractional
replication
Global User Profile
(has all user attributes)
• Contains subset
of complete user
profile
• Fractional
replication within
each jurisdiction

If a US employee of my organization uses a VPN
connection back to the home office while in another
office that’s located in the EU, what regulation applies:
US, EU…?
Q4

What do data encryption techniques
have to do with GDPR?
How does it work in the ForgeRock
Identity Platform to encrypt and
protect identity attributes?
Q5b
Q5a

DIRECTORY SERVICES
Many layers of protection for personal
data
ACCESS MANAGEMENT IDENTITY MANAGEMENT IDENTITY GATEWAYCOMMON SERVICES
IDM IG
DS
AM
CS
• On-disk encryption of data and indexes
• Access controls to prevent unauthorized users from reading data
• Encrypted backups
• Tamper-
proofed audit
logging,
depending on
the “sink”
chosen
• Logging only
of the user
identifier, not
of profile
content
• Token proof of
possession available to
ensure the bearer is the
rightful owner
• Signing and encryption
for JWTs, id_tokens,
SAML assertions,
UserInfo responses
• Contextual authorization
• Encryption of
credentials and profile
attributes
• Encryption or hashing
of data during
synchronization
• Contextual authorization
• Message header
encryption

Does an individual have a “right to update” data?
Q6

If my organization has shared end-user data with a
third party, and our end-user asks for it to be deleted,
whose responsibility is it to delete it?
Q7

When does GDPR say I have to go
back to an end-user and ask for their
consent to process their data again
after collecting it a first time?
When is it possible to ask for an end-
user’s consent using the ForgeRock
Identity Platform?
Q8b
Q8a

Moments of consent
Registration time Authentication time
Access approval
(asynchronous)

I’ve heard my organization will have to
change all of our consent collection
practices because of GDPR – is that
true?
What consent lifecycle management
capabilities does the ForgeRock
Identity Platform have?
Q9b
Q9a

Single view of the
consumer
Giving the consumer a
single view of their
consents
Giving the consumer
control over their
consents
● Lifecycle
management of a
user profile and their
data sharing
preferences
● Secure storage of
profile data
● Anonymized syncing
of profile data and
connector-based
integration to third-
party systems
● Terms of service and
privacy policy capture
● Social sign-in
● Social registration
● Social consent
management
● Interoperable, user-
driven, proactive and
reactive sharing flows
The holistic view of consent
lifecycle management

Patient selectively sharing IoT health data with doctors
and other caregivers with User-Managed Access (UMA)
Patient view Doctor view

Granular consented access by accountant to bank
customer’s account data and transactions
25

What does GDPR say about parental
consent, and what is the age of
majority?
What are the capabilities of the
ForgeRock Identity Platform regarding
parental consent?
Q10b
Q10a

Typical parent/child account
relationship and capabilities
Parent/Guardian Account
• Can self-register
• Can create and
manage age-
constrained accounts
• Full schema and
permissions
• Access approval
options, e.g. through
UMA constrained
delegation
Child Account
• Not allowed to self-
register
• Jurisdictionally
defined age-
constrained account
• Limited schema and
permissions

We’d like to show
you what we’ve got
cooking
https://www.flickr.com/photos/carree/2502801336/ | CC BY-ND 2.0

Profile and Privacy
Management Dashboard:
It’s all about self-service
for…
• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Convenient and centralized data
protection, transparency, and
control
demo

Thank You!
Questions?Eve Maler
VP Innovation & Emerging
Technology, ForgeRock
@xmlgrrl
Sean Doherty
Analyst, Workforce
Productivity & Compliance
Channel, 451 Research
@SeanD0herty

summits.forgerock.com

GDPR is coming in Hot. Top Burning Questions Answered to Help You Keep Your Cool.

More Related Content

What's hot

Viewers also liked

Similar to GDPR is coming in Hot. Top Burning Questions Answered to Help You Keep Your Cool.

More from ForgeRock

Recently uploaded

GDPR is coming in Hot. Top Burning Questions Answered to Help You Keep Your Cool.