GDPR: 365 Days and Counting - Customer IAM Could be the Fix
GDPR is an EU regulation that comes into effect a year from today, May 25, 2018. This means if you are an organisation that sells or markets to, or for that matter, collects any personal data of EU citizens, you have one year to come into compliance. Designed to improve privacy for EU citizens and to make it easier for organisations to comply with a single unified regulation, it has also steeply increased penalties for non-compliance with fines up to 4% of annual global revenue or 20 million Euros, whichever is greater.
GDPR has far reaching operational and IT impacts on organisations that are required to comply. Most organisations are looking for the most efficient way to check the compliance boxes, article by article. And it is true that all organisations will have to assess compliance gaps across all applications and databases that process or house personal data. But organisations that look for solutions beyond simple compliance have a chance to emerge as leaders of the next digital era.
Let's start by looking at some of the most critical IT requirements to baseline the minimum bar to meet the regulation:
All collection and processing of personal data requires explicit consent. To make matters more interesting, it must be use-based, meaning consent isn't just associated with each data attribute, but how the data will be used. Finally, it must be unbundled consent, meaning, a single checkbox for large sets of data attributes will not suffice. By the way, simply gaining consent isn't quite good enough, you have to record and store it in an audit friendly format.
Now that you have consent and have collected some personal data, you must give your customers a way to access that data and make corrections (rectification). Simple enough? Well you have to also indicate the comprehensive list of recipients that you have shared the data with, the storage period, and notices of other rights.
OK, what happens if your customer wants to move their data to a competitor or just wants you to forget they ever existed? Yes, you have to comply and give them a computer readable version of their data in a common format and even help them automatically transfer it to another processor (portability). And in the case they want you to delete their data, they have a 'right to be forgotten' and you have to be able to certify that all of their personal data is gone and you have notified any recipients of the erasure request.
This means that all of your systems must be constructed to protect personal data 'by design and by default'. This starts with a requirement for encryption at all stages to satisfy pseudonymisation (yes, that really is a word!).
All of this can seem a little daunting, especially considering you have to comply with it all in just 365 days. The good news is that there is a ready-made solution - customer identity and access management (Customer IAM) - that not only meets these requirements, but can enable you to engage with your customers in new and innovative ways. Too good to be true? Gartner calls Customer IAM a digital relationship imperative and Ping Identity's Customer IAM solution provides secure and seamless customer experiences, with GDPR compliance as a pretty fantastic side-benefit.
Customer IAM solutions provide key capabilities that help meet the requirements of the regulation out of the box. In addition, some of the architectural best practices of Customer IAM will make compliance more cost effective and efficient. Finally, the right Customer IAM solution will help organisations turn this compliance challenge into an opportunity by providing a single, unified view of the customer, building trust, and enabling secure, seamless and personalised customer engagement.
Secure personal data from end to end with a fully encrypted and unified customer profile in a high-performance directory that can manage structured and unstructured data, scale to 100's of millions of users, and support application access through secure REST APIs.
Centralise data-access governance policies and provide fine-grained control over which customer identity attributes can be accessed by internal and external applications. Gather and maintain consent for all collection and use of data.
Trigger second authentication factors (such as SMS or biometrics on a mobile device) based on an assessment of contextual or transactional risks. Integrate MFA functionality directly into your own customer-facing mobile app.
Give customers a consistent and secure SSO experience with one set of credentials across all digital properties including the convenience of social login.
Provide centralised control over access to customer-facing digital properties. Enable access policies to control access to entire applications, specific URLs or API endpoints.
The great news here is that, if you take the approach of using Customer IAM as a solution to fix your GDPR requirements, you will also provide your business with a single, unified view of your customer's data allowing more informed business decisions to be made, and provide a secure user experience for your customers driving them to trust your business and demonstrate customer loyalty. Focusing on the positive outcomes will gain support from the business and will make the journey to compliance much more straightforward.
Don't just comply with GDPR - take this opportunity to strengthen your engagement with your customers and emerge as a leader. To learn more about GDPR and the role of Customer IAM, visit: https://www.pingidentity.com/gdpr.