The upcoming General Data Protection Regulation (EU GDPR) will change the requirements for managing consumers’ personal data across the globe. The regulation’s scope is broad and also affects organizations outside of the EU. Striking a balance between meeting the new regulatory requirements and effectively serving customers in the age of Digital Transformation mandates a shift from siloed consumer data management to centralized Customer Identity Management platforms that support the balance between compliance, user consent, and optimizing the customer experience.
In this white paper — commissioned by Gigya from European analyst firm KuppingerCole and prepared by Fellow Analyst Dr. Karsten Kinast and Lead Analyst Ivan Niccolai — you will learn about:
*The history, framework, implementation and scope of the EU GDPR
*Key compliance elements of the EU GDPR
*The implications of the EU GDPR on Customer Identity Management and best-practice recommendations for strategy and implementation
Compliance: The GDPR and Consumer Identity Management
1. KuppingerCole Whitepaper
Compliance: The GDPR and Consumer Identity Management
Report No.: 72602
GDPR and Implications for Customer Identity
Management
With the upcoming EU GDPR (General Data Protection Regulation), the requirements for
managing personal data will change. The scope of the regulation is broad and also affects
organizations outside of the EU. Finding the balance between the new regulatory requirements
on one hand and the new requirements of managing customers in the age of Digital
Transformation mandates a shift from per-portal and per-application customer management to
centralized Customer Identity Management platforms that support the balance between
compliance, user consent, and optimally servicing the customer’s needs.
Dr. Karsten Kinast
kk@kuppingercole.com
Martin Kuppinger
mk@kuppingercole.com
Commissioned by
Related Research
#71529 Executive View: Gigya Customer Identity Management Suite
#72002 Whitepaper: Using Information Stewardship within Government to Protect PII
#72006 Leadership Brief: Your customer identities: How to do them right
#72015 Leadership Brief: Monetizing the Digital Transformation
KuppingerCole
WHITEPAPER by Dr. Karsten Kinast & Martin Kuppinger | September 2016
2. KuppingerCole Whitepaper
Compliance: The GDPR and Customer Identity Management
Report No.: 72601 Page 2 of 14
Content
1 Executive Summary ...................................................................................................................... 3
2 Research Highlights ...................................................................................................................... 4
3 The General Data Protection Regulation (GDPR)............................................................................ 4
History and context: Why the GDPR was needed....................................................................................4
Existing framework...................................................................................................................................5
EU Data Protection Directive............................................................................................................5
E-Privacy Directive............................................................................................................................5
Implementation period and scope of application....................................................................................5
4 Compliance: Key Elements of GDPR............................................................................................... 6
The definition of personal data................................................................................................................6
The rules for obtaining valid consent.......................................................................................................7
4.1 Data Protection Officer (DPO) Appointment Requirements............................................................7
4.2 Mandatory Data Protection Impact Assessments (DPIAs) ...............................................................8
4.3 Data breach notification requirements............................................................................................8
4.4 Data Control and the right to be forgotten......................................................................................8
Technical and organizational security measures .....................................................................................9
Privacy by default and by design..............................................................................................................9
5 GDPR and Customer Identity Management ................................................................................. 10
Business requirements...........................................................................................................................10
Principles to implement GDPR Requirements .......................................................................................11
Finding the right balance........................................................................................................................12
6 Summary and Recommendations................................................................................................ 13
7 Copyright ................................................................................................................................... 13
3. KuppingerCole Whitepaper
Compliance: The GDPR and Customer Identity Management
Report No.: 72601 Page 3 of 14
1 Executive Summary
With the upcoming EU (European Union) GDPR, data protection and privacy requirements will change,
requiring that organizations take appropriate action. The GDPR has a very broad scope, and is thus
relevant not only to organizations within the EU, but also to organizations processing data of consumers
located within the EU.
The GDPR arose as a harmonization instrument in the field of data protection within the EU Member
States. The rapid development of new technologies has revealed the necessity to update the current
data protection framework in a way that addresses today’s reality with social networks and big data
technologies. The requirements for maintaining consumers’ privacy will be significantly more stringent
through the new framework. As a EU directive, the GDPR overrides local regulations, which will
subsequently need to be adapted.
There are a variety of new regulatory elements, including aspects such as mandatory consent, definition
of purpose for the use of personal data, and the right to be forgotten. To understand the impact that
the GDPR has on Customer Identity Management and the processing of customer data – which goes well
beyond Customer Identity Management and also affects CRM, ERP, and other business systems – it is
important to understand the key regulatory elements of the new law.
From a customer data perspective, it becomes ever more important to manage customer identities in an
efficient and well thought-out manner. The fundamental challenge is that customers have significantly
more rights than they ever had with any data protection regulation in the EU before. Thus, being able to
identify the customer – even when he is using different login credentials over time – is important not
only from a business perspective, but also from a compliance perspective. Obviously, meeting the
changing requirements is easier when various login credentials in use are correctly linked to a single
person. Beyond that, managing and respecting the user’s consent, his preferences, opt-ins and opt-outs
across all touchpoints becomes mandatory with the EU GDPR. Customer Identity Management is about
front-end challenges such as understanding the unique identity of a customer, but also challenges such
as enforcing consent decisions across all back-end systems.
From a technical perspective, the essence of the regulation can be framed in a single sentence:
Rely on platforms, not on coding
The days of constructing every customer-facing application and portal independently, with separate
identity management for each, are past. Efficiently handling customer identities, their consent, and their
context, to support business agility and to fulfil regulatory compliance requirements mandates using a
dedicated Customer Identity Management platform.
4. KuppingerCole Whitepaper
Compliance: The GDPR and Customer Identity Management
Report No.: 72601 Page 4 of 14
2 Research Highlights
● The upcoming EU GDPR, planned to go into effect May 2018, changes data protection and privacy
requirements – organizations must take action now
● Obtaining user consent for the purposes of personal data usage and managing proof of consent are
major elements
● Various principles such as the right to be forgotten and the right to revoke consent will be
implemented
● Organizations must improve their capability to manage user identities, consent, and context
3 The General Data Protection Regulation (GDPR)
The upcoming EU GDPR adds a number of new requirements for organizations dealing with personal
data, where personal data also includes information that allows indirect identification of customers. The
changes to the EU GDPR mandate that organizations take actions to comply with that regulation.
With the upcoming EU (European Union) GDPR, data protection and privacy requirements will change,
requiring that organizations take appropriate action. The GDPR has a very broad scope, and thus is
relevant not only to organizations within the EU, but also to organizations processing data of consumers
who are located within the EU.
Understanding the scope, content, and impact of the EU GDPR is essential for understanding the
concrete implications for organizations when dealing with Personally Identifiable Information (PII) in its
broadest sense. Of particular importance is the way organizations must handle consumer data in the
future.
History and context: Why the GDPR was needed
The GDPR arises as a harmonization instrument in the field of data protection within the EU Member
States. The rapid development of new technologies has revealed the necessity to update the current
data protection framework in a way that also addresses the new realities of the digital economy, such as
the near ubiquitous use of big data or the role social networks today play in communication and
collaboration. Consumers’ privacy will be enforced through the new framework. As a EU directive, the
GDPR overrides local regulations, which will subsequently need to be adapted.
While the GDPR strengthens overall data protection requirements in EU Member States, it also
harmonizes various existing regulations. Having more consistent data protection regulations across all
EU Member States than is the case today will make it easier for organizations to comply.
5. KuppingerCole Whitepaper
Compliance: The GDPR and Customer Identity Management
Report No.: 72601 Page 5 of 14
Existing framework
The Data Protection Directive 95/46/EC and the Directive on Privacy and Electronic Communications
2002/58/EC (E-Privacy Directive) constitute the current framework regarding personal data protection.
The current Data Protection Directive dates from 1995. Back then, the Internet was still in its early days.
There were no smartphones and no social networks existed at all. Big Data was still small and had far
from widespread adoption. The EU GDPR tries to catch up with the changes of the last 20+ years while
setting a standard for the upcoming years. Thus, the gap between the former directive, which could be
overridden to some extent at member state level, and the new EU GDPR, is quite significant.
EU Data Protection Directive
The EU Commission adopted the Data Protection Directive in order to harmonize certain aspects
established in the EU for the processing of personal data by data controllers (persons or organizations
who decide how and why personal data is processed) and data processors (persons or organizations
who process data on behalf of data controllers). However, certain relevant aspects, such as the
obligation to: appoint a Data Protection Officer; register the IT Systems in use with the competent
Authority; meet consent requirements, and so on, remained different between various Member States.
This highlighted the necessity to update the existing framework in order to have a higher level of
harmonization within the EU, and to continue ensuring an adequate level of personal data protection.
E-Privacy Directive
The E-Privacy Directive complements the GDPR and imposes specific requirements regarding how
customers’ personal data is stored and collected by internet or telecommunications providers. A
formally reviewed draft of the E-Privacy Directive that is in line with the new scope of the GDPR is
expected soon. However, as pointed out, this specific directive only applies to certain defined industries.
Implementation period and scope of application
Organizations have a two-year time period, until May 25th, 2018, to implement the changes introduced
by the GDPR. Otherwise, significant fines may be imposed to organizations that have not reached the
minimum data protection level imposed by the new framework. This is a rather short period of time,
given that the GDPR might require significant changes to existing software implementations that are
handling data within the scope of the regulation.
Simply said: Continuing to do business with EU customers requires full compliance
with the EU GDPR
One of the most interesting aspects of the GDPR is its broad scope. The GDPR is applicable to all data
controllers and data processors established in the EU, regardless of the location of the processing. But it
also applies to data controllers and processors established outside the EU, if the data subjects (whose
personal data is being processed) are located in the EU and the processing activities relate to the
6. KuppingerCole Whitepaper
Compliance: The GDPR and Customer Identity Management
Report No.: 72601 Page 6 of 14
offering of goods or services to EU data subjects or to the monitoring of their behaviour, if that
behaviour takes place in the EU.
This concretely means that every organization worldwide that is processing data of EU customers must
comply with the EU GDPR. Simply locating data centres outside of the EU and continuing as is will not be
sufficient. When it comes to dealing with customer data, the other theoretical option of simply not
serving EU customers most likely won’t be an option for most organizations.
Once again: Continuing to do business with EU customers requires full compliance with the EU GDPR.
4 Compliance: Key Elements of GDPR
There are a variety of new rules in place. These include the need for consent per purpose; breach
notification requirements; and principles such as the right to be forgotten. Not everything is new, but,
overall, the regulatory requirements are increasing significantly.
To understand the impact that the GDPR has on Customer Identity Management and the processing of
customer data – which goes well beyond Customer Identity Management and affects CRM, ERP and
other business systems – it is important to understand the key regulatory elements of the GDPR.
The definition of personal data
The GDPR applies to any processing operation that involves personal data. Personal data is any
information related to an identified person or that allows organisations to identify a natural person,
directly or indirectly. A person can be identifiable by name, an identification number, location data,
online identifiers or factors related to the physical, physiological, genetic, mental, economic cultural or
social identity of that person. Customer data may refer to their bank account, IP-address, login data,
consuming habits that identify the individual, and more.
This definition is very broad, far broader than traditional definitions of PII. For instance, the definition
includes all tracking data that may allow the identification of an individual. In particular the aspect of
“identifying indirectly” is of importance, given that this is a very broad definition. In fact, all data
collected via the use of cookies, for instance, should be considered personal data that is in the scope of
the GDPR.
Implication: To meet these new requirements, it’s vital to have a “360-degree view” of each customer
and all the data associated with them. This calls for advanced profile management and the ability to
unify a wide variety of attributes and build accurate and complete profiles.
7. KuppingerCole Whitepaper
Compliance: The GDPR and Customer Identity Management
Report No.: 72601 Page 7 of 14
The rules for obtaining valid consent
Unless any other legal basis for processing personal data is in place, such as a contract or an obligation
imposed by law, consent is required prior to processing personal data. Consent will be deemed to be
valid if it is freely given, informed, unambiguous and consists of a statement or a clear affirmative
action. If the data is used for several purposes, the individual should give his/her consent for each
purpose.
From a marketing and customer identity perspective, this is about such aspects as consent to collect
data via cookies or other browser activities, opt-in and opt-out options, and so on. The most important
aspects are that consent must be given per-purpose and that consent must be given in an “informed”
way. In tendency, organizations processing and storing personal data will need to be more clear about
the purpose of collecting data. In the end, many people will give their consent because they want to use
a particular service. This also involves proof of consent. There is a requirement to provide evidence as to
which exact terms each user has given consent for, and technical proof that the user did, in fact, agree.
Consent should be given per-purpose and the provider must provide “proof of
consent”
These requirements quickly become complex in large organizations, where users have multiple channels
of access. Having a unique view on the identity of the consumer or customer and managing his
preferences and consent uniquely is critical for meeting this requirement.
Implication: In order to handle new consent requirements, flexibility in the identity management system
is necessary to enable customized registration and login flows that are compliant for each region
wherein the data controller is serving customers.
4.1 Data Protection Officer (DPO) Appointment Requirements
Currently, only a few countries regulate the appointment of a DPO. Under the GDPR, this will change
fundamentally. Organizations will have the obligation to appoint a DPO, wherever the processing
involves a large scale of special categories of personal data, or a systematic monitoring of individuals
takes place. The appointment of the DPO should be based on his/her professional qualities and expert
knowledge on data protection. This position can be held either by a member of the organization or by
an external professional. A single DPO may be appointed for a group of companies.
Implication: Organizations musts evaluate whether they have to appoint a DPO and free up sufficient
budget. In particular, they will have to decide whether they prefer relying on an internal or external
DPO.
8. KuppingerCole Whitepaper
Compliance: The GDPR and Customer Identity Management
Report No.: 72601 Page 8 of 14
4.2 Mandatory Data Protection Impact Assessments (DPIAs)
As part of the risk-based approach of the GDPR, it will be obligatory to conduct DPIAs if the processing in
question is likely to result in high risk for the rights and freedoms of individuals due to the nature, scope,
context or purposes of the processing operations. This is the case in certain scenarios:
● If special categories of personal data defined in the GDPR are processed on a large scale
● If a systematic evaluation of personal aspects related to natural persons takes place that
is carried out using automated decisions
● if a systematic monitoring of publicly accessible areas takes place
Each DPIA must describe
● All processing operations and their purposes
● The necessity and scale of each process in relation to its intended purpose
● The potential risks to the rights and freedoms of the data subjects
● The technical and organizational measures that will be implemented
Implication: Beyond the necessity of a DPO, there is the need for defined assessments in a variety of use
cases. Internal audit must adapt its controls to these new requirements.
4.3 Data breach notification requirements
When a data breach impacting PII occurs, the appropriate Supervisory Authority must be notified by the
data controller within 72 hours of being made aware of the breach. If customer data that may impact
the rights and freedoms of consumers is affected by the breach, those consumers must also be notified.
Implication: Every organization must define and implement a process for both breach notification and
incident management, for handling incidents in an adequate and compliant manner. It’s important to
ensure that every vendor providing technology in a multiple solution stack can respond in a timely
manner to data breaches, and has a well-designed strategy for numerous contingencies.
4.4 Data Control and the right to be forgotten
The right to be forgotten has been recognized as an inherent right of data subjects. It stipulates that
individuals are entitled to request that data controllers erase their data upon request without undue
delay. However, this right can be exercised only if certain requirements are met. For example, if the
personal data is no longer necessary for the purposes for which it was collected, or the data subject
withdraws his or her consent.
There is even more than the right to be forgotten – data control is becoming complex
While there have already been many discussions, as well as law suits, regarding the right to be
forgotten, it will soon become more important. Organizations are well-advised to prepare for the
demand from customers to delete their data.
9. KuppingerCole Whitepaper
Compliance: The GDPR and Customer Identity Management
Report No.: 72601 Page 9 of 14
However, the right to be forgotten is not the only requirement in this category. New consumer rights
regarding control of user data are much broader, and also include the right to freeze data processing,
which is a new and quite complicated requirement to meet. Data subjects can request that the
processing of their data be frozen.
Another important new right is the right to export personal data and edit it. Again, this is not easy to
implement and can mean significant workloads for organizations dealing with personal data.
Implication: To ensure the ability of consumers to maintain control over their personal data, advanced
profile management should be employed, with appropriate end user preference management options
for freezing processing of, editing, exporting and deleting data.
Technical and organizational security measures
In addition to the legal requirements mentioned above, it is also essential that adequate technical and
organizational security measures are implemented according to the nature of the processing. These
measures may include pseudonymization and anonymization of personal data, confidentiality, integrity,
and resilience of processing systems, the ability to respond appropriately to incidents, and a regular
assessment of the efficacy of implemented technical and organizational security measures, for example
through regular IT-Security and Data Protection Audits.
Specifically, technical and organizational security measures should regulate access rights, admission
control, transmission control, input control, availability control and control over commissioned data
processing.
Again, these regulatory requirements can result in rather complex technical requirements that must be
met by organizations controlling and processing personal data. Technical and organizational security
measures are best implemented following established standards such as ISO27018.
Implication: It’s important to verify that any solution being leveraged to capture and manage customer
data maintains security practices and infrastructure that are industry certified for the appropriate
standards.
Privacy by default and by design
Finally, there is the requirement of Privacy by Default and by Design. Privacy by Design is a concept that
has been discussed for several years now. Basically, this is about creating applications in a way that
allows for flexibly enforcing privacy requirements, depending on both regulatory requirements and
customer consent. Privacy by Default, on the other hand, is about having privacy enabled by default, not
as something that can be achieved by customers only in a cumbersome way.
In sum, there are a significant number of requirements being introduced by the EU GDPR. While not
everything is new or even uncommon, it nonetheless requires organizations that are controlling and
processing personal data to rethink the way they are dealing with such data.
10. KuppingerCole Whitepaper
Compliance: The GDPR and Customer Identity Management
Report No.: 72601 Page 10 of 14
Implication: When assessing readiness for the GDPR, be sure that any solution in the stack that collects
and manages customer data can meet the specific requirements for the customer use case, especially
data privacy requirements. In the case of end-to-end solutions, be sure that they maintain strong
relationships with a range of technology partners that can easily integrate with their platform. Move
away from coding for customization and rely on standard technologies.
5 GDPR and Customer Identity Management
Finding the balance between business and compliance requirements becomes a challenge in the context
of the EU GDPR. Organizations have to manage customer (and other personal data) in a consistent way,
moving away from point solutions and building a strong foundation for Customer or Identity
Management.
The focus of the EU GDPR is not only about customer data, although many of the new requirements
target social networks, search engines, eCommerce, and other customer-facing businesses. However, it
is important to bear in mind that the EU GDPR affects all personal data, including that of employees or
business partners.
Organizations need one view of customers’ identities, their consent, and their
preferences – across all touchpoints
From a consumer data perspective, it becomes ever more important to manage customer identities in
an efficient and well thought-out manner. The fundamental challenge is that consumers have
significantly more rights than they ever had with any data protection regulation in the EU before. Thus,
being able to identify the customer – even when he is using different login credentials over time – is not
only important from a business perspective, but also from a compliance perspective. Obviously, meeting
the changing requirements is easier when various login credentials in use are correctly linked to a single
person.
Business requirements
The main requirement for implementing a Customer Identity & Access Management (CIAM) solution are
business-driven. While the EU GDPR is a business driver, due to the need to comply with the upcoming
regulation, there are other reasons that drive the adoption of Customer Identity Management.
In particular, as part of the so-called Digital Transformation, business models are changing, leading to a
closer online interaction with customers than ever before. Data collected by things and devices is one
important aspect of that evolution. Building long-term relationships with customers in a time of rapid
business model changes, as well as business partnerships, requires that customers are identified,
regardless of the login credentials they use. Understanding customer activities and behaviours is also
essential for optimally serving the customer.
11. KuppingerCole Whitepaper
Compliance: The GDPR and Customer Identity Management
Report No.: 72601 Page 11 of 14
When doing so, a number of requirements must be met:
● Customer-facing solutions must satisfy the customer, in terms of usability and ease-of-use, starting
with the support of a broad variety of authenticators (traditional registration, social login, biometrics,
and so on) and a seamless overall customer experience
● Solutions must be built in a way that allows for rapid adaptation to changing business requirements –
time-to-market is a critical success factor for every business
● Data models for customer data must be dynamic and adaptable, allowing businesses to store “what
is needed” for today’s and tomorrow’s business requirements
● Solutions must be highly scalable, particularly during peak times
● There must be one view of the customer across all customer-facing systems, but also flexible
integration with a multitude of backend systems
● There must be comprehensive support for managing user consent, opt-ins, and preferences, and
respecting these across every touchpoint the customer has with the organization
Customer-facing applications must be more flexible than ever. The days of creating independent
solutions that manage their own identities, implement their own approach to customer journeys, and
exist in isolation from other systems are long past. Customer identities are too important for businesses
in the Digital Age, and from a regulatory viewpoint — in the light of the upcoming EU GDPR – the need
for a unified, standardized Customer Identity Management infrastructure is no longer just an optional
and attractive approach, but a necessary one.
Principles to implement GDPR Requirements
The EU GDPR formulates, as has been stated above, a number of mandatory principles. Customer
Identity Management will not solve all of these requirements, but greatly supports compliance with
these principles. Overall, many of the essential principles of the EU GDPR mandate that organisations
have a good knowledge of customers’ identities. Knowing the person, being able to identify them when
they connect to systems, and in particular having one view of that person and their activities across
multiple systems makes it far easier to comply with many of the principles and requirements of the EU
GDPR such as:
● Consent and proof of consent
● Purpose limitation
● Right of erasure and to be forgotten
● Right to restriction of processing
● Right of data portability and right to edit data
● Notice obligations
● Safeguards for automated decision making, including profiling
For consent, it is recommended to not only have an IP address but knowledge about the person that
gives consent (or does not). The same holds true for purpose limitation – the individual must agree not
only to the purpose of use for their personal data, but must also be able to restrict this, as part of the
right of restriction of processing.
12. KuppingerCole Whitepaper
Compliance: The GDPR and Customer Identity Management
Report No.: 72601 Page 12 of 14
The right to delete data and to be forgotten, as well as the right of data portability, require that personal
data be mapped to an individual. Thus, managing customer identities becomes more important than
ever before.
Organizations will require a whole “consent management system”
Organizations will require a whole “consent management system” as part of their Customer Identity
Management strategy. Changes to social network terms of service might require updated consent. The
system must also track and keep a record of consent per-user for each term.
It is not enough to simply store identities. Organizations must transparently make clear what data is
stored and how it is being used. This requires a transparent mechanism for self-service control over
identity profiles. It requires new forms of user journeys that strike a balance between the new
regulatory requirements and maximized retention rates.
Also, these capabilities are needed to fulfil requirements such as notice obligations or safeguards for
automated decision making, including the right of individuals to be informed about how decisions are
made.
Finding the right balance
The challenge of the future is finding a balance between business enablement on one hand and privacy
and security on the other. Meeting regulatory requirements is a must, but that must not happen at the
expense of business requirements (unless the business model stands in stark contrast to the GDPR).
Furthermore, many implementations will not serve only EU customers or run in the EU exclusively, so
other regulations might apply. Thus, the system should be flexible, to provide different experiences to
different territories. This means that EU regulatory requirements should only affect the user experience
of EU users, while users in other territories have an experience tailored to the regulatory requirements
there.
From a business perspective, the goal should be about satisfying market demand, delivering a great user
experience, supporting ever-changing business models, and implementing agile solutions that can be
easily adapted to new requirements.
Doing so with these new, stronger regulatory requirements requires flexible solutions that allow
managing users’ identities and enabling the required amount of user control and consent, but also the
security of personal data, which also is part of the GDPR regulation. Providing data to commercial
platforms is a deliberate act. Models that exchange data for value are still allowed, but the principles
listed in the section above must be met. In particular users must be in control and be able to manage
their personal data and be able to revoke consent regarding its use.
14. Kuppinger Cole Ltd.
Sonnenberger Str. 16
65193 Wiesbaden | Germany
Phone +49 (211) 23 70 77 – 0
Fax +49 (211) 23 70 77 – 11
www.kuppingercole.com
KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in
relevant decision making processes. As a leading analyst company KuppingerCole provides first-hand
vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions
essential to your business.
KuppingerCole, founded in 2004, is a global Analyst Company headquartered in Europe focusing on
Information Security and Identity and Access Management (IAM). KuppingerCole stands for expertise,
thought leadership, outstanding practical relevance, and a vendor-neutral view on the information
security market segments, covering all relevant aspects like: Identity and Access Management (IAM),
Governance & Auditing Tools, Cloud and Virtualization Security, Information Protection, Mobile as well
as Software Security, System and Network Security, Security Monitoring, Analytics & Reporting,
Governance, and Organization & Policies.
For further information, please contact clients@kuppingercole.com
The Future of Information Security – Today