The General Data Protection Regulation (GDPR), which comes into effect in May, establishes strict controls on how organisations handle the personal data of EU citizens, and the consequences for non-compliance are steep: up to 4 percent of your global annual revenue or €20,000,000, whichever is greater.
Key Technical Requirements of GDPR
GDPR requirements are spelled out in the legislation’s articles, and many of these articles relate to how data is collected, stored, accessed, modified, transported, secured and erased. These requirements are very broad but can be briefly summarised as follows:
Erasure: The data subject has the right to ask the controller to “forget” or erase all personal data (article 17).
Consent: The controller needs to seek and record consent from the data subject for collection, storage and use of personal data (articles 7, 8, 9).
Data Access & Rectification: The data subject can access the personal data that was collected and make corrections and updates (articles 15, 16).
Data Portability: The data subject has the right to receive any personal data received by a controller (article 20).
Data Security: The controller must design systems to secure personal data by adopting appropriate technical and organisational measures (article 32).
Data Protection by Design: The controller must design systems to protect personal data integrity based on risk (article 25).
Challenges GDPR Creates for Organisations
Many organisations are finding full compliance with GDPR challenging due to several main factors:
Inadequate Consent: The baseline level of consent in the past, such as opt-out consent, is no longer sufficient under GDPR.
Silos of Data: Personal data may be stored across multiple systems, such as analytics, CRM and order management systems, making adhering to GDPR requirements such as data access and portability much harder to carry out.
Lack of Governance: Data access processes must be enforced on an app-by-app basis via centralised data access governance policies that take consent, privacy preferences and corporate requirements into consideration.
Weak Application Security: Customer identifiable information that is fragmented and not secured at the data layer is vulnerable to breach.
Limited Self-service Access: Customers must be able to self-manage their profiles and preferences, and these must be enforced across all channels and devices.
How CIAM Helps Solve GDPR Compliance
The aforementioned challenges may be daunting, but they are surmountable with a robust customer identity and access management (CIAM) solution. CIAM not only helps your organisation solve many of the challenges that GDPR presents, it goes beyond the requirements to yield secure, convenient and personalised customer experiences.
Unified Customer Profiles (addresses articles 15, 16, 17, 20, 25): CIAM syncs and consolidates data silos through tools such as real-time or scheduled bi-directional sync, the ability to map data schemas, support for multiple connection methods/protocols and built-in redundancy, failover and load-balancing.
Easy Consent Capture and Management (addresses articles 7, 8, 9): CIAM simplifies consent capture across multiple channels and enables you to drill down to consent capture for specific attributes. It also allows you to enforce consent choices based on geographic, corporate, industry or other policies. In addition, many CIAM systems enable transaction consent and approval, an important multi-factor authentication (MFA) use case. Lastly, CIAM allows the customer to revoke consent at any time.
Self-managed Customer Profiles (addresses articles 15, 16): CIAM enables customers to see and make edits to their data, thanks to pre-built user interfaces and APIs, and enforces their preferences across all channels and devices.
Data Access Governance (addresses article 32): CIAM provides fine-grained, attribute-by-attribute control so that internal and external applications are allowed access to only the particular subset of identity attributes necessary.
Global Namespace Control (addresses article 25): CIAM allows you to achieve “data residency” by routing data to the appropriate place with a proxy server, set up partial data synchronisations and maintain partial copies of your data where appropriate, and govern the data that applications can receive on an attribute-by-attribute level, based on policy.
Secure Customer Data (addresses article 32): CIAM contains a slew of centralised, data-layer security features including data encryption in every state (at rest, in motion and in use), record limit access, tamper-evident logging, active and passive alerts, integration with third-party monitoring tools and much more.
The right CIAM solution can help you meet many of the technical requirements of GDPR—all while providing the opportunity to get closer to your customers, building trust, loyalty and engagement along the way. To learn more, please visit www.pingidentity.com/GDPR.