In a recent blog article I took a generic look at the new General Data Protection Regulation (GDPR) proposed by the European Commission. I promised to follow up with a sequel. Apart from a few exceptions, sequels are tough. Aliens was a pretty good sequel, so I hope I can rise up to the challenge.
First I need to write a disclaimer. This blog will not be an all exhaustive list of examples on how to achieve compliance. I will look at the GDPR from the Identity and Access Management perspective and explain where IAM can help you move towards the spirit and intent of the regulation.
Before going into the details, I would like to make sure you know what GDPR is. Read my previous blog and maybe even the very extensive summary from IAPP. A recent study conducted by Trend Micro showed:
- 20% of IT decision makers in the UK were unaware of the GDPR
- 29% didn’t think the GDPR would apply to their organization
These are worrisome numbers. If your organization is handling personal data, i.e. you have customers, you need to take a look at the GDPR. It would be good to see a similar survey conducted to IT decision makers of companies outside of EU, because the GDPR will apply to any and all companies who a) offer goods or services to EU residents, or b) monitor the behavior of EU residents.
Let’s move to the practical examples on some of the major goals of the GDPR. Most of the GDPR relates to processes and agreements, but information security technologies have their role to play in helping enterprises comply with the regulation. The regulation is long, it’s complicated and no one knows yet how the clauses will actually be interpreted in the courts. These are suggestions to organizations and people who are dealing with the issue of data protection in general. You don’t have to be from the EU to benefit from these tips; your business could gain competitive advantage or compliance no matter where you are. But I will try to relate some of the benefits of IAM to the GDPR main themes.
During the years we’ve had customers who have had several repositories or places where they store, manipulate and manage customer information. With all of them, the move towards a harmonized and unified approach in external identities has generated considerable cost savings, by reducing the support and maintenance cost of several different systems and therefore simplifying the management tasks. It has also made the life of the customer much easier.
An example: A large international provider that operates across different verticals and has multiple brands. They offer services and sell goods ranging from grocery shopping, hotels, restaurants, service / gas stations, hardware stores, catering etc. Some of these operate under a unified brand, but some have been formed under a different brand along the years through acquisition or other ways / reasons. Many of the verticals have their unique online services.
The GDPR outlines a few themes that are related to consolidation of user data. If we use the above example and consider that the data controller is the enterprise entity operating all these brands and verticals, there are distinct advantages in consolidating the user data.
Right to erasure
Right to erasure is one of the easiest to pick. If you’ve consolidated your user data, it’s easier to comply to the end user request when they want to have their data erased.
User control of own data
Control of your own data was already in the previous directive, but now it’s becoming even more important. Without consolidation and a unified identity and access management, the end users would have to register and manage their own information at each online service separately. This will create frustration among the customers. In the spirit of the GDPR it would be better to have a single place where data subjects (users) could verify and manage their information.
When the users want to change providers and take their data with them, complying to this request will become much easier if you have consolidated the data. Data portability is one of the GDPR requirements.
Intelligent Identity Single Sign-On and Federation
One of the areas where competent Identity Provider products excel is authorization. In a normal environment, enterprises, such as the previously mentioned provider, are running multiple different online services for their customers. These should be connected to the centralized Identity Provider. The optimal scenario of course is that the end user does not have to login multiple times, instead he can travel between the services in a single sign-on fashion. The role of the Identity Provider is three-fold:
1. Taking care of authentication of the end users (data subjects)
Depending on the online service and its purpose, different authentication methods might be implemented. A login to the retail store site can use lower level of assurance (LoA) methods than the online banking site.
2. Sending the correct set of identity attributes of the user to the online service
Again, depending on the nature of the online service, the needed attributes may vary. The Identity Provider will take care that the minimum viable set will be sent to the online service and not the whole catalogue of attributes that might be available. This is especially important if the identity travels beyond the EEA borders. The set of identity attributes can also include information that the user has objected to profiling – which under the GDPR the data subject can do at any point, even if they have given their explicit consent before.
3. Facilitate the new concept of pseudonymization introduced by the GDPR
While the Identity Provider may have access to user data in clear text/identifiable format that is needed in many cases, an authorization policy can be created where the Identity Provider will take care that the data attributes are “scrambled”, so that the information sent out can be considered unidentifiable.
“Yes I agree”
The new regulation requires unambiguous consent from the users in certain cases. The definition unambiguous is… erm… a bit ambiguous. In certain cases explicit consent is required. The role of a family comes into play here as well, when matters related to children may sometimes require the consent of the parent and in some cases family should not be involved. With me so far? The bottom line is that consent pops up along the regulation and you should consider how you are going to implement it and how are you going to let the end users manage their consents.
Through self-service interfaces, users can manage their identity attributes as well as their given consents. If companies need to be absolutely sure that unambiguous consent has been received, IAM products can be used to stop the end user, for example, during the federation process when they are moving from one service/domain to another and their identity attributes follow them.
User drive federation
Something called “User Driven Federation” (UDF) is a technology used to combine two or more different identities together. An example would be to combine a social media identity with the existing provider identity and thus give the end users a very convenient way to access the service using their social identities. During the pairing process, users can be stopped and they have to give their consent for this particular operation, (which they can revoke later on if they wish).
IAM products to manage authorization
IAM products such as our CustomerID are tools on how to manage authorization or consent. In a family situation a parent can simply login to the management portal and give consent (authorization) to the children. But this applies much better in a B2B environment, where online service provider business customers can manage their authorizations themselves. A supervisor can authorize an employee to access the provider service in a certain role. If the employee accepts this responsibility, he logs in to the CustomerID portal and explicitly accepts this authorization – all actions leaving a trail in the logs. Either the employee, supervisor or the provider can revoke these authorizations. Another aspect of the CustomerID is that the access privileges (and data) can be tied to a contract information stored in the CRM. Once the contract expires, access privileges and the data can be erased, if need be.
GDPR is not the only regulatory change demanding attention from enterprises. Payment Services Directive 2 might affect your operations, eIDAS creates a framework for cross-border digital identities and the new ePrivacy directive is now gathering comments. Identity and Access Management can help your organization to meet certain parts of these regulations. Contact us to hear more.