For today’s digital businesses, being prepared to meet new compliance requirements when storing and managing consumer data will not only minimize risk, but also enable more valued and trusted customer experiences that drive increased loyalty, engagement and revenue. To gain better perspective on this important issue, it’s important to understand:
- The trends driving governmental regulatory shifts and the basic tenets of these new laws
- The challenges faced by executives across the enterprise when managing privacy compliance for consumer data
- The emergence of cloud-based solutions that help businesses manage privacy compliance by acting as end-to-end customer data storage and management solutions that are far more scalable and flexible than legacy systems
2. 2
We all know that innovation is generally accompanied by regulatory efforts
that aim to ensure that technology serves the public’s best interests.
Take for example the growth of aviation, which spawned not only the airline industry, but also the FAA
and a complex set of regulations for safety and efficiency. Similarly, think about the introduction of
broadcast television, cable, and finally broadband internet. Each drastically changed the landscape of
mass communications, and each effectively triggered an overhaul of regulatory organizations’ charters.
So it is with the rise of big data and the digital transformation of the world economy, but we are still in
the early days of this new reality. Regulators thus far have struggled to keep up with the breakneck
pace that today’s business leaders are setting for customer-focused innovation. The resulting disparity is
making privacy compliance in the digital enterprise a nerve-wracking subject for decision makers.
The following map illustrates the current fragmented state of international data protection and privacy
regulations around the globe.
Global Privacy Compliance:
Navigating a Landscape of Risk
Most
Restricted
Restricted
Some
Restrictions
Minimal
Restrictions
Effectively no
Restrictions
No Legislation or
no information
Government Surveillance
may impact privacy
Data Protection Laws
Executive Summary
As companies collect more customer data to drive digital transformation efforts, consumers and
the governments that represent them have growing expectations around transparency in how their
data is collected, and the laws that govern the usage and reporting of this data. Any stakeholder
for their organization’s digital strategy must understand these new requirements, particularly
executives deciding how their organizations collect, manage and monetize customer data.
This paper will help you to understand the global data privacy landscape and what steps you
should take to meet the customer data challenge while fulfilling the requirements of these new
regulations. Preparing now for upcoming consumer data privacy laws will minimize risk for your
business while enabling a better customer experience that inspires trust and loyalty.
3. 3
Let’s recap how we got here.
Taming the Wild West
Companies are spending more hours and budget every year on technologies that can differentiate
their brands, with a particular focus on improving the customer experience. Meanwhile, regulatory
organizations around the world tend to move at a glacial pace relative to business innovation, and
that has led to some questionable conduct around the handling of consumer data, such as the
now infamous Target data mining disaster of 2012.
On top of this, worldwide social and economic turmoil, cybercrime, governmental overreach and
many other factors have conspired to create an unbalanced and risky global landscape for doing
business. A quick look at a timeline of technological developments alongside key regulations puts
the past 20 years or so in perspective.
In particular, the events of September 11, 2001 began a chain reaction that has resulted in a
completely different perspective by many governments than they previously had on the subject
of data privacy. The attacks coincided with the rise of huge social networks and a surge in data
breaches, and precipitated a massive shift in U.S. security policies. This eventually led to stunning
2013 revelations about the National Security Agency’s surveillance of a wide range of private
citizens’ data, foreign and US-based alike.
Since then, the so-called “Snowden effect” has rippled outward, leading to concerted efforts
among governments, industries and private consumer advocacy organizations to establish stricter
guidelines and more enforceable regulations for consumer data privacy.
AOL
FacebookWWW
1995 2005
eBay Google/SFDC Big Data Internet of thingsiPhone
Target
TK/TJ
Maxx
Safe Harbor
“Invalid”
GDPR Ratified
Privacy Shield
Approved
EU Directive
On Data Prorection
U.S. DP
Laws Tighten
Safe Harbor
Sony
PSN
Regulations
Events
U.S. Voter Database
Ebay
MySpace
LinkedIn
VK
“Russia's
Facebook”
Anthem
2016
9/11 Attacks
Snowden
Disclosures
WikiLeaks
Founded
Heartland
GDPR Takes
Effect
Twitter
2018
4. 4
S&R’s Pain
Given this situation, let’s take a moment to consider
the plight of today’s Security & Risk (S&R) teams.
Charged with managing threat assessment and risk
strategy for a growing laundry list of departmental
objectives, from back office operations to
innovation-driven business enablement, increasingly
beleaguered enterprise S&R teams must often work
within the constraints of a static budget.
But this looming cloud has a silver lining. As more
layers of the enterprise stack are opened to the outside
world to drive new business capabilities, consumer
privacy is no longer solely the concern of S&R leaders,
but increasingly an important consideration for every
member of the executive team.
To capitalize on the promise of bleeding-edge marketing, sales and service technologies,
businesses must have a means to collect and manage consumer data at scale while remaining in
compliance with international privacy and data protection regulations. This means that the drive
toward innovation to grow new revenue is intimately connected with the need to safely handle
consumer data, unlocking a new angle for underfunded chief privacy and information security
officers to lock down their organizations and gain a new foothold in the boardroom.
By reaching out to other C-suite stakeholders to solve the challenge of balancing privacy and
personalization in the customer experience, forward-thinking S&R leaders can play an important
role in guiding strategy while securing more budget for their team.
Risk
Management
Security
Operations
Identity
Mangement
Legal &
Human
Resources
Governance
Project
Lifecycle
(PMO)
Compliance
& Audit
Planning
& Budget
Business
Enablement
“As more and more marketing professionals and line-of-business
stakeholders become involved in discussions with SR
professionals on how to formulate and implement a successful
CIAM strategy, they bring not only their usability concerns but
also their budget.” 1
–Forrester
1.
Forrester Market Overview: Customer Identity And Access Management (CIAM) Solutions, Maxim, Cser, August 4, 2015
5. 5
Why Managing Consumer Privacy Matters
Now More Than Ever
Let’s look at three major drivers pushing enterprise executives to address their privacy
compliance strategies.
Data Residency and Security
In the new “age of the customer”, every enterprise is global, but regional and national data laws —
including those that define where consumer data must be stored and processed – vary widely. While
this makes it increasingly tricky to serve international customer bases, businesses are unlikely to
give up massive audience segments because of legal hurdles; there is simply too much to gain. Still,
the reality is that the risk of non-compliance is very real, its parameters are shifting, and brands must
manage it to reap the rewards of serving multi-national customer bases.
For example, on September 1, 2015, the Russian Federation’s Personal Data Protection Act went
into effect. The bill mandates that companies that maintain online properties serving Russian
citizens must store those citizens’ data within Russian borders. This means that, ostensibly, any
online business with Russian customers must maintain or leverage a data center there or risk the
consequences of non-compliance. The new regulation reflects a trend toward data localization, with
a growing list of countries recently adopting this type of policy.
Business Enablement
Security architecture, operations, governance, and other “lights-on” functions remain vital roles for
IT, but let’s face it, digital innovation is driving the business, and privacy compliance has become an
essential element in virtually every technology in the stack. As innovative executives embrace new
tech, they will invariably face new challenges for securing consumers’ personal data as it is tapped by a
growing list of applications and services.
Meeting the needs of every business unit while keeping the company in compliance with international
data protection and privacy regulations is a balancing act that will require out-of-the-box thinking for
leaders across the entire enterprise.
“In 2016, short-sighted firms will make the mistake of thinking
that privacy is only about meeting compliance and regulatory
requirements at the lowest possible cost, while enlightened
ones will recognize it’s actually a way to build better customer
relationships — built on trust.” 2
— Forrester
2
Forrester, Predictions 2016: The Trust Imperative For Security Risk Pros, Shey, Iannopollo, Murphy, et al,November 9, 2015
6. 6
Emerging Data Protection Standards
Regulators who initially lagged in reacting to the implications of digital
transformation are now beginning to catch up — particularly in Europe.
The General Data Protection Regulation (GDPR) was signed into law by
EU regulators in April 2016. It is undoubtedly a document of profound
historical significance, with at least one European Commissioner explicitly
stating that it was part of an effort to set a global standard.
The framework of the law includes detailed categorical requirements for handling of data,
organizational structure, system maintenance and communication between data processors and
consumers, as well as between businesses and regulatory officials. A clear theme throughout,
however, is increased transparency about how consumer data is collected and used, highly relevant
to companies with digital strategies that employ multiple third-party solutions for marketing, sales or
service initiatives.
Perhaps the most striking (and startling) element is the enforcement implication, with fines in large
enterprise cases of up to the greater of €10/20M or 2/4% of annual turnover, depending on the
type of violation. This stark fact alone has placed privacy compliance management among the top
priorities for digital businesses this year.
Europe isn’t alone in setting up stricter data protection and privacy standards. In the U.S., there
are some new players coming into the world of privacy and data protection and enforcement,
including the FCC, SEC, CFPB and even state insurance regulators. With some relatively
aggressive enforcement activity recently, such as the FTC’s $100 million action against LifeLock,
we assume that significant shifts in the American regulatory landscape are imminent. Meanwhile,
the status of EU-U.S. data-transfer legality is still in question, with the officially approved Privacy
Shield framework still being questioned by some European consumer privacy groups at the time
of this writing.
“The EU data protection reforms promise to be the biggest shake
up for consumers’ data protection rights for three decades.
Organisations simply cannot afford to fall behind. We know data
protection officers understand this, and we know they sometimes
find their views ignored in the boardroom. The new law gives
directors 20 million reasons to start listening.” 3
—ICO
3
ICO, 20 Million Reasons for Organisations to Get EU Data Reforms Right, 14 March, 2016
7. 7
How Have Businesses Been Managing Consumer Data?
Now, let’s explore how consumer identity data has typically been managed in the past, and some
new strategies for managing the risks of handling that data.
Employee-Focused Technologies and Strategies Don’t Work
Despite the breathtaking pace of advancements in customer experience-driven technologies,
many large companies still rely on legacy, employee-facing IAM systems that they’ve used for a
decade or more to handle consumer information. The problem with this is that the prevailing trend of
self-service onboarding and profile management for users connecting from outside the enterprise
firewall was never something these systems were designed to address.
The problem is magnified when attempting to use employee IAM systems to integrate consumer
data into third-party marketing, service and sales technologies, since these legacy systems were
primarily designed to connect business users to internally-facing business applications. Not
only that, but those integrations were focused on federation, or seamless authentication across
business apps, not on identity data management and synchronization across systems.
The truth is that employee IAM systems typically have difficulty scaling dynamically to meet
consumer demand and the rigors of the identity of things (IDoT), essential for enabling complex
interactions between the smart, connected devices of today and tomorrow. They also struggle to
incorporate the wide variety of unstructured data needed to enable personalization and to handle
the increasingly complex task of managing global data protection and privacy compliance.
Customer-Focused Solutions Do Work
For these reasons and more, the past several years have seen rapid adoption of identity
management solutions specifically built to manage consumer data. Customer Identity and
Access Management (CIAM) is a rapidly growing industry, with cloud-based, API-driven providers
increasingly gaining traction as more businesses realize the potential CIAM has to drive new
business value while mitigating cost and risk.
Eighty-two percent of brands in Forrester’s
US Customer Experience Index (CX Index™)
got “OK” scores or worse from their customers
in 2016 4
82%
4
Forrester, The US Customer Experience Index, 2016, July 18 2016
8. 8
A Better Way to Manage Consumer
Data and Privacy Compliance
CIAM can benefit your top line, enabling better digital strategy based on delivering trusted and
seamless customer experiences and relationships. It also provides a vital layer in the stack for
managing many aspects of privacy compliance for consumer data. As part of their core offerings,
best of breed CIAM platforms provide:
• Support for compliance with regional privacy and data protection regulations for consumer data,
as well as with the terms of service of social networks and other identity providers
• Multiple regional data centers, to ensure that any relevant data localization requirements are
met
• Industry-standard security for physical data storage, encryption, API transactions, application
development and more
It’s now essential for businesses to meet governmental requirements when handling consumers’
personal data. Let’s look at how top CIAM providers help manage the trickiest aspects of PII data
protection and privacy compliance as part of their core offerings, particularly around user consent
and data control requirements.
Managing PII Data with CIAM
The new EU regulatory framework, along with many other new regional data protection
regulations, has specific requirements about how, when, and in what manner a user’s consent
must be acquired and disclosed in order to collect that user’s personal data. The most important
and complex requirements surround user consent and data control:
Consent Is King
The GDPR specifies a number of rules regarding obtaining consumer consent when gathering their
PII. Businesses must always obtain verifiable consent from users before collecting and utilizing
their personal information. To address this, top CIAM providers offer customizable user interfaces
to communicate what data will be collected and how it will be used in the most transparent way
possible for each context. This includes privacy notices and terms and conditions, marketing
opt-ins and account preferences, as well as functionality that supports the “right to be forgotten” —
consumers’ ability to withdraw consent at any point.
Data controllers must also provide proof of user consent upon request by regulators, and
consistently remain in line with the current legal terms of any region from which personal data is
collected and managed. The best CIAM solutions store current terms of consent and individual
identifiers for each user, so proof is always at hand. Beyond this, CIAM specialists provide
functionality for handling minimum age of consent requirements, which can vary widely by country.
9. 9
Control Is (Also) King
Best-of-breed CIAM providers can also help brands meet regulatory requirements for how data
is controlled. For one, strict new data localization laws are part of a growing trend. This presents
an obvious challenge to businesses that leverage on-premises data centers to manage consumer
data, but even large cloud providers can come up short in situations such as the one in Russia,
since many large cloud-based storage providers such as AWS have no presence there.
Then, the GDPR has strict requirements about giving consumers access to and control of their
personal data. At any point, users must be able to autonomously export, delete, edit and freeze
processing of the information in their profiles. Leading CIAM providers offer customizable
registration and profile management workflows and other specialized functions that ensure
consumers remain in control of their data. Robust rules engines fulfill requirements for data
processors to store only data that is absolutely necessary to enable the functionality of the
relevant application or service; for example, the ability to delete user profiles if no login activity is
detected for a period of time.
Be Responsible - For Your Success
Beyond requirements for handling consumer PII, it’s important for businesses to remain
compliant with the terms of service of any social networks or other identity providers that they
leverage for today’s essential social login functionality. Then, there are additional regulations
intended to minimize poor business practices such as spamming, and others to ensure
accessibility for all users.
Social Networks
Social networks and other identity providers require that businesses authenticating
consumers using social credentials adhere to their current terms of service (TOS). Top
CIAM platforms help businesses maintain compliance with these terms, for example, by
facilitating the deletion of non-public data for users who revoke data access permission
for a particular social app.
Anti-Spam
Modern email service providers (ESPs) are the workhorses of today’s digital
marketing organizations. ESPs enable large scale campaigns that are targeted to
highly specific audience segments. This personalization returns results orders of
magnitude better than old-school “spray and pray” campaigns, but modern marketing
necessitates compliance with regional anti-spam requirements, which vary widely
from country to country.
10. 10
Effective CIAM solutions enable brands to focus on consent-based, first-party
data, rather than purchased third-party lists, so audience segments are built from
known and trusted customers instead of anonymous lists of email addresses. CIAM
providers also offer flexible and customizable features for opt-in and opt-out that can
help tailor compliance strategy for international marketing initiatives, helping brands
build bigger audiences while respecting consumer privacy and building trust with
their customers.
Disability Compliance
Of course not all compliance requirements are tied to how user data is stored and
managed. It’s important to address all types of compliance when planning a CIAM
implementation, including accessibility. For example, the W3C’s Web Content
Accessibility Guidelines (WCAG) ensure that web users with visual impairments or
other disabilities have the same access to content as non-disabled users, and are
enforced by the U.S. (via the ADA) and many other governments around the globe.
Leading CIAM providers help businesses comply with accessibility requirements
by offering out-of-the-box flows that, for example, enable vision-impaired users
to navigate registration and authentication processes using only their keyboards.
This not only ensures compliance, but also eliminates the overhead of building
WCAG-compliant workflows from scratch.
Looking Forward
For now, the world will have to wait to see how the GDPR, the newly ratified EU-U.S. Privacy Shield
data transfer framework, and numerous other recent regulatory initiatives will shake out in terms
of real-world application and enforcement. Regardless of outcomes though, we believe the smart
move for businesses is to start developing a well-planned strategy for managing privacy now.
“All in all, there is one factor that will prove whether the GDPR is a
true game changer. What will make a real difference is the number
of directors sitting on boards of all sizes who, in some cases for the
first time, pay attention to data protection. It is early days but my
guess is that from now on, privacy will be a regular feature on the
agenda of many boards. Including yours.” 5
–Eduardo Ustaran
5
Eduardo Ustaran, Chronicle of Data Protection, January 4, 2016
11. 11
While there are certainly variables that will unfold over time, the FTC and European authorities have
already established some clear guidelines that SR and line–of-business leaders can use to begin
addressing privacy management in a meaningful way. As part of this, it’s vital to consider the way
your business collects and manages consumer data. Here are some important questions to ask
yourself when assessing your company’s maturity in this regard:
If the answer to some or most of these questions is “no”, or “maybe”, it may be time to consider the
option of a cloud-based CIAM platform. Readiness for the future of data privacy requires flexibility
above all, and a specialist in customer identity management can help you build a foundation for
managing consumer data that continuously evolves to serve global markets and the needs of your
business, while helping to keep you and your customers safe in an uncertain world.
Is your registration and
authentication solution:
Does your profile
and preference management
solution:
Once consumer data is
collected, does your identity
management solution:
• Built for the consumer use
case, with an appropriate
balance between usability
and security?
• Customizable, to enable
multi-factor and risk-based
strategies for high
risk transactions?
• Able to provide social login
functionality for users in areas
where Facebook, Google+
and other western-dominant
networks are not widely
used?
• Leverage multiple data
centers to allow you to collect
and unify a wide variety of
first-party consumer data in a
safe and compliant way?
• Provide self-service access to
profile data so users can view,
edit and delete information
collected from them, as well as
accommodate opt-in/opt-out
and consent requirements that
can vary widely by region?
• Adhere to ISO27018:2014
standards for data storage
and transmission and
application development?
• Enable non-technical users
to easily analyze and derive
meaningful insights from your
data?
• Offer pre-built integrations
with a variety of third-party
technologies to drive
marketing, sales and service
initiatives without the need
for custom connectors and
constant updates?
• Include open API and ETL
tools for enabling real-time
integration with virtually any
third-party application?