The General Data Protection Regulation (GDPR) is an EU law that goes into effect on May 25, 2018 and has significant penalties for non-compliance. It applies to any organization that handles data of EU citizens and gives citizens more control over their personal data and how it is used. ForgeRock's Identity Platform can help organizations address GDPR requirements by providing tools for consent management, data protection, individual rights to access/rectification/erasure of personal data. Proper implementation of these tools is important for organizations to avoid penalties and make privacy a competitive advantage.

1. © 2017 ForgeRock. All rights reserved.
GDPR
@hannsnolan
ForgeRock Identity Platform!
some of the more identity related components of the GDPR

2. © 2017 ForgeRock. All rights reserved.
significant penalties for GDPR infractions start on
May 25, 2018.

3. © 2016 ForgeRock. All rights reserved.
GDPR is different, and FR is different
• GDPR applies to every organization selling to or
monitoring anyone in the EU
• GDPR has a firm deadline (May ‘18), high penalties
(4% of global turnover), and high aspirations (human
rights)
• Privacy tools assess/ensure compliance
• GDPR tools target risk teams
• We sell to digital teams
• Who need to own and drive this challenge -- quickly -- so
that it becomes a triumph vs. a tragedy

4. © 2017 ForgeRock. All rights reserved.
Impact of GDPR
some of the more identity related components of the GDPR
• Consent for processing personal data
• Proof of Consent (data & processing!)
• Consent per purpose (including revocation)
• DPO (Data Protection Officer) are required (e.g. external)
• DPIAs (Data Protection Impact Assessment) under certain cir.
• Data breach notification within 72 hours
• Massive data control rights (forgotten, freeze, export rights)
• Privacy by default
• PLUS organizational/other requirements (out of scope here)

5. © 2017 ForgeRock. All rights reserved.
What to take care of?
• Personal Data
• where is your data? -> least privileged? encryption?
• Lawful Processing
• law and IDM? YES -> user consent driven!
• Individual's Right to Rectification, Export and Erasure
• new requirement! Big challenger: export, erasure
End user dashboards, registration journeys and consent frameworks
will need updating!

6. © 2017 ForgeRock. All rights reserved.
What is to do?
End user dashboards, registration journeys and consent
frameworks will need updating.
Don't see it as a compliance exercise!
The interesting aspect, is that privacy is now becoming a
competitive differentiator.

7. © 2016 ForgeRock. All rights reserved.
A holistic view of the
ForgeRock Identity Platform
Identity data
governance; single
view of the consumer
Giving the consumer a
single view of their
consents
Giving the consumer
control over their
consents
● Lifecycle management
of user profile and data
sharing preferences
● Secure storage of profile
data
● Anonymised syncing of
profile data and
connector-based
integration to third-party
systems
● Data residency and
fractional replication
● ToS and privacy policy
capture at registration and
authentication time
● Social/federated sign-in
● Social registration
● Social consent
management
● Interoperable,
user-driven, proactive
and reactive sharing
flows

8. © 2016 ForgeRock. All rights reserved.
This is not an “UMA proposal”
• UMA is one enabler of a suite of potential capabilities
that build on our core platform strengths for a general
strategic P&C capability
• But it is an important enabler that plays into:
• Cloud (loose coupling of APIs/services for building partner
ecosystems)
• Bilateral service<->user dialog required for ability to deliver
explicit consent (stronger definition of consent required by
GDPR)
• Use cases especially favored by IoT use cases
• We can call new/enhanced P&C capabilities/module(s)
anything we like

9. © 2017 ForgeRock. All rights reserved.
Technical Challenges
• Holistic single view of the customer
• Consent sharing (legacy backend apps!)
• New innovations and trust (Container, Micro Services,
Blockchain etc.)
• Redesigning/Creating frontends/touchpoints
• Keep customer data accurate and protected

10. © 2016 ForgeRock. All rights reserved.
Building a (bilateral) trusted digital
relationship -- a high-level proposal
Single view of the customer
Consent lifecycle
management
Giving the customer context,
control, choice, and
respect
• Existing platform has many
strengths
• Benefits for compliance are
under-marketed (can’t even
attempt “right to be forgotten”
if you don’t know where all
the data is…)
• We don’t have packaged
solutions targeted to P&C
challenges, just a “bag of
tools” (KC’s CIAM report)
• We don’t have direct P&C
solutions today
• GDPR has some
requirements here
• IDM, CAUD, and AM in
concert have great potential
• Consent Receipts, OAuth,
and UMA are relevant
standards
• We have hints of solutions
here (early UMA)
• GDPR has some
requirements here
• UMA is a relevant standard

11. © 2016 ForgeRock. All rights reserved.
Patient selectively sharing IoT health data with doctors
and other caregivers
Patient view Doctor view

12. © 2016 ForgeRock. All rights reserved.
Granular consented access by accountant to bank
customer’s account data and transactions
12

13. © 2016 ForgeRock. All rights reserved.
Consent within IDM and Sync

14. © 2016 ForgeRock. All rights reserved.
ForgeRock
ForgeRock
ForgeRockIdentity
ForgeRock
Forgerock.com
Forgerock.com/blog
Thank you

15. © 2017 ForgeRock. All rights reserved.
Further Readings
• GDPR at ForgeRock
• Webinar with Eve Maler
• Introduction ForgeRock Identity Platform
• The Role of Identity by Simon Moffatt