The General Data Protection Regulation (GDPR) makes businesses rethink and redefine their CIAM strategies. This slide deck focuses on discussing the key challenges and best practices when building a GDPR compliant CIAM strategy.
08448380779 Call Girls In Civil Lines Women Seeking Men
The Role of GDPR in Customer Identity and Access Management
1. THE ROLE OF GDPR IN
CUSTOMER IDENTITY AND ACCESS
MANAGEMENT
Rushmin Fernando
Technical Lead, WSO2
2. 2
Mountain View,
Colombo, New York,
London, Sao Paolo,
Sydney
Founded in 2005
Venture backed by
Cisco and Toba Capital
500 Employees;
300 Engineers
450+ Customers,
170+ New Customers
in 2017
Profitable
About Us
2
9. The evolution of digital
transformation brought
CIAM into existence
9
How
Did it Start?
10. 10
Digital Transformation
● Organizations allowing their customers to consume the services or
goods using digital technologies
● In the beginning it was a nice to have feature
● Then it became a differentiator
● Now it is a survival factor for some businesses
11.
12. 12
Customers like it, when the
vendors recognize them and
remember their buying
patterns.
13. By asking the customers to
tell who they are
(authenticate)and collecting
their usage data
13
How
is this
Done in the
Online
World ?
16. 16
Nature of Traditional IAM Tools
● Traditional IAM tools are designed to be used inside organizations
● They don’t need to have intuitive UX
● They don’t need to handle huge number of users
● They don’t need to have strong authentication since the systems
are not exposed externally
19. 19
Customers Expect...
● To avoid re-login when using different portals from the same
organization (Single Sign-On)
● Intuitive UX
● Omnichannel access
22. GDPR - A Bird's Eye View
22
What is GDPR Objectives of GDPR Impact of GDPR
Privacy Principle Individual Rights Consent Management
23. 23
What is GDPR?
● GDPR is a new legal framework formalized in the European Union
(EU) in 2016, which effectively replaces the previously used Data
Protection Directive (DPD)
● GDPR will come into effect on May 25, 2018
● GDPR is applicable for any data processing organization that
processes personal data or monitors behavior of individuals
residing in the EU
24. 24
Objectives of GDPR
● Recognizes protection of personal data and control over
processing of personal data as a fundamental right of an
individual
● Broadens the scope of personal data as Personally Identifiable
Information (PII)
● Free movement of personal data within the EU
● Provides business organizations certainty on personal data
processing activities
25. Impact of GDPR
● Any business that delivers goods or provides services to
individuals living in the EU is affected, regardless of whether the
business is established in the EU
● Personal data processing organizations that cannot demonstrate
GDPR compliance will be subjected to financial penalties up to 4%
of their annual turnover, or €20 million
25
27. 5
3
Comply with requests not to automate
decision making using personal data
Right to restrict processing6
7
8
Individual Rights
9
Allow individual’s data to be stored
but not processed.
Provide transparency over how
personal data is collected, stored,
managed, protected, and processed
Right to be informed1
Right to stop processing
Provide copies of all stored data in a
portable format
Right to data portability
Honor requests not to process an
individual’s data for specific purposes
Right to access2
Provide individual’s access to their data and
explain how they-and any supplemental
data-are used
4
Correct any personal data if
incomplete or inaccurate
Right to correction
Remove personal data on request when
there is no compelling reason to keep it
Right to be deleted
Reject automated decisions
28. Consent
‘Consent’ from the data subject means any freely given,
specific, informed and unambiguous indication of the
data subject’s wishes by which he or she, by a statement
or by a clear affirmative action, signifies agreement to the
processing of personal data relating to him or her.
- Article 4(11)
28
29. 29
Consent Management
● Consent is one of the six lawful basis of personal data processing
as defined by GDPR
● It is the most common lawful basis for commercial businesses
● All personal data processing activities including collection, storage,
and sharing need to be based on explicit and active consent from
an individual
● Organizations must support complete consent lifecycle
management to ensure that individuals can review and revoke
consent given at any point
30. Key Concepts of GDPR
Processor
A natural or legal
person, public
authority, agency or
other body which
processes personal
data on behalf of the
controller.
Controller
A natural or legal
person, public authority,
agency or other body,
which alone or jointly
with others, determines
the purposes and means
of processing personal
data.
30
31. 31
Key Concepts of GDPR
● Data subject. An identifiable natural person is one who can be
identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location data,
an online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person
● Supervisory authority. An independent public authority which is
established by a Member State
32. Key Concepts of GDPR
● Pseudonymisation. - Data management procedure by which
personally identifiable information fields within a data record are
replaced by one or more artificial identifiers, or pseudonyms
● Personal data breach. A personal data breach means a breach of
security leading to the accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to, personal data
● Data protection officers are responsible for overseeing data
protection strategy and implementation to ensure compliance with
GDPR requirements
32
35. 35
● Customer identities are managed centrally
● Therefore the customer rights such as ‘Right to data portability’
and ‘Right to data portability’ can be served from a single place
How Would a CIAM Tool Help?
37. 37
● Customer consent management
● Privacy by design and privacy by default
● User rights
In Three Aspects
38. 38
Consent Management
● Customer consent plays a major role in GDPR
● There are requirement related to consent management
− Consent design
− User onboarding based on active consent
− Ability to review given consent and revocation
− Ability to demonstrate proof of consent
− Consent per purpose
39. 39
Consent Management
Consents request from a CIAM solution should meet design
consideration mandate by the GDPR
− Informed
− Active opt-in
− Unbundled
− Named
− Easy to Withdraw
− Granular
− Considerations for children's consent
41. 41
Consent Management
Consent per purpose
I would like to receive emails about special offers
I would like to receive SMS messages about special offers
44. 44
Privacy by Design and by Default
● Privacy by design allows a CIAM tool to easily battle against new
security challenges in a timely manner without degrading the
quality of the product.
● Privacy by default helps organizations to guarantee customer
privacy without much effort. A CIAM tool can make sure that all the
crypto algorithms are up-to-date.
45. 45
Customer Rights Via the User Portal
● Right to access
● Right to reject automated decisions
● Right to correction
● Right to be deleted
● Right to restrict processing
● Right to data portability
● Right to stop processing
47. ● Customer profiling is the key for an organization’s digital
transformation journey
● GDPR is a regulation which enhances customer privacy
● Therefore organizations face new challenges with customer
profiling
● A proper CIAM tool can help you win the digital transformation
battle in a GDPR compliant manner
Conclusion
47