Implications of GDPR in Conjunction with UMA
0 likes518 views
The General Data Protection Regulation (GDPR) is an EU law that goes into effect on May 25, 2018 and has significant penalties for non-compliance. It applies to any organization that handles data of EU citizens and gives citizens more control over their personal data and how it is used. ForgeRock's Identity Platform can help organizations address GDPR requirements by providing tools for consent management, data protection, individual rights to access/rectification/erasure of personal data. Proper implementation of these tools is important for organizations to avoid penalties and make privacy a competitive advantage.
Implications of GDPR in Conjunction with UMA
- 1. © 2017 ForgeRock. All rights reserved. GDPR @hannsnolan ForgeRock Identity Platform! some of the more identity related components of the GDPR
- 2. © 2017 ForgeRock. All rights reserved. significant penalties for GDPR infractions start on May 25, 2018.
- 3. © 2016 ForgeRock. All rights reserved. GDPR is different, and FR is different • GDPR applies to every organization selling to or monitoring anyone in the EU • GDPR has a firm deadline (May ‘18), high penalties (4% of global turnover), and high aspirations (human rights) • Privacy tools assess/ensure compliance • GDPR tools target risk teams • We sell to digital teams • Who need to own and drive this challenge -- quickly -- so that it becomes a triumph vs. a tragedy
- 4. © 2017 ForgeRock. All rights reserved. Impact of GDPR some of the more identity related components of the GDPR • Consent for processing personal data • Proof of Consent (data & processing!) • Consent per purpose (including revocation) • DPO (Data Protection Officer) are required (e.g. external) • DPIAs (Data Protection Impact Assessment) under certain cir. • Data breach notification within 72 hours • Massive data control rights (forgotten, freeze, export rights) • Privacy by default • PLUS organizational/other requirements (out of scope here)
- 5. © 2017 ForgeRock. All rights reserved. What to take care of? • Personal Data • where is your data? -> least privileged? encryption? • Lawful Processing • law and IDM? YES -> user consent driven! • Individual's Right to Rectification, Export and Erasure • new requirement! Big challenger: export, erasure End user dashboards, registration journeys and consent frameworks will need updating!
- 6. © 2017 ForgeRock. All rights reserved. What is to do? End user dashboards, registration journeys and consent frameworks will need updating. Don't see it as a compliance exercise! The interesting aspect, is that privacy is now becoming a competitive differentiator.
- 7. © 2016 ForgeRock. All rights reserved. A holistic view of the ForgeRock Identity Platform Identity data governance; single view of the consumer Giving the consumer a single view of their consents Giving the consumer control over their consents ● Lifecycle management of user profile and data sharing preferences ● Secure storage of profile data ● Anonymised syncing of profile data and connector-based integration to third-party systems ● Data residency and fractional replication ● ToS and privacy policy capture at registration and authentication time ● Social/federated sign-in ● Social registration ● Social consent management ● Interoperable, user-driven, proactive and reactive sharing flows
- 8. © 2016 ForgeRock. All rights reserved. This is not an “UMA proposal” • UMA is one enabler of a suite of potential capabilities that build on our core platform strengths for a general strategic P&C capability • But it is an important enabler that plays into: • Cloud (loose coupling of APIs/services for building partner ecosystems) • Bilateral service<->user dialog required for ability to deliver explicit consent (stronger definition of consent required by GDPR) • Use cases especially favored by IoT use cases • We can call new/enhanced P&C capabilities/module(s) anything we like
- 9. © 2017 ForgeRock. All rights reserved. Technical Challenges • Holistic single view of the customer • Consent sharing (legacy backend apps!) • New innovations and trust (Container, Micro Services, Blockchain etc.) • Redesigning/Creating frontends/touchpoints • Keep customer data accurate and protected
- 10. © 2016 ForgeRock. All rights reserved. Building a (bilateral) trusted digital relationship -- a high-level proposal Single view of the customer Consent lifecycle management Giving the customer context, control, choice, and respect • Existing platform has many strengths • Benefits for compliance are under-marketed (can’t even attempt “right to be forgotten” if you don’t know where all the data is…) • We don’t have packaged solutions targeted to P&C challenges, just a “bag of tools” (KC’s CIAM report) • We don’t have direct P&C solutions today • GDPR has some requirements here • IDM, CAUD, and AM in concert have great potential • Consent Receipts, OAuth, and UMA are relevant standards • We have hints of solutions here (early UMA) • GDPR has some requirements here • UMA is a relevant standard
- 11. © 2016 ForgeRock. All rights reserved. Patient selectively sharing IoT health data with doctors and other caregivers Patient view Doctor view
- 12. © 2016 ForgeRock. All rights reserved. Granular consented access by accountant to bank customer’s account data and transactions 12
- 13. © 2016 ForgeRock. All rights reserved. Consent within IDM and Sync
- 14. © 2016 ForgeRock. All rights reserved. ForgeRock ForgeRock ForgeRockIdentity ForgeRock Forgerock.com Forgerock.com/blog Thank you
- 15. © 2017 ForgeRock. All rights reserved. Further Readings • GDPR at ForgeRock • Webinar with Eve Maler • Introduction ForgeRock Identity Platform • The Role of Identity by Simon Moffatt