SlideShare a Scribd company logo

Compliance: The GDPR and Consumer Identity Management

Gigya
Gigya

The upcoming General Data Protection Regulation (EU GDPR) will change the requirements for managing consumers’ personal data across the globe. The regulation’s scope is broad and also affects organizations outside of the EU. Striking a balance between meeting the new regulatory requirements and effectively serving customers in the age of Digital Transformation mandates a shift from siloed consumer data management to centralized Customer Identity Management platforms that support the balance between compliance, user consent, and optimizing the customer experience. In this white paper — commissioned by Gigya from European analyst firm KuppingerCole and prepared by Fellow Analyst Dr. Karsten Kinast and Lead Analyst Ivan Niccolai — you will learn about: *The history, framework, implementation and scope of the EU GDPR *Key compliance elements of the EU GDPR *The implications of the EU GDPR on Customer Identity Management and best-practice recommendations for strategy and implementation

Law
1 of 14
Download to read offline
KuppingerCole Whitepaper Compliance: The GDPR and Consumer Identity Management Report No.: 72602 GDPR and Implications for Customer Identity Management With the upcoming EU GDPR (General Data Protection Regulation), the requirements for managing personal data will change. The scope of the regulation is broad and also affects organizations outside of the EU. Finding the balance between the new regulatory requirements on one hand and the new requirements of managing customers in the age of Digital Transformation mandates a shift from per-portal and per-application customer management to centralized Customer Identity Management platforms that support the balance between compliance, user consent, and optimally servicing the customer’s needs. Dr. Karsten Kinast kk@kuppingercole.com Martin Kuppinger mk@kuppingercole.com Commissioned by Related Research #71529 Executive View: Gigya Customer Identity Management Suite #72002 Whitepaper: Using Information Stewardship within Government to Protect PII #72006 Leadership Brief: Your customer identities: How to do them right #72015 Leadership Brief: Monetizing the Digital Transformation KuppingerCole WHITEPAPER by Dr. Karsten Kinast & Martin Kuppinger | September 2016
KuppingerCole Whitepaper Compliance: The GDPR and Customer Identity Management Report No.: 72601 Page 2 of 14 Content 1 Executive Summary ...................................................................................................................... 3 2 Research Highlights ...................................................................................................................... 4 3 The General Data Protection Regulation (GDPR)............................................................................ 4 History and context: Why the GDPR was needed....................................................................................4 Existing framework...................................................................................................................................5 EU Data Protection Directive............................................................................................................5 E-Privacy Directive............................................................................................................................5 Implementation period and scope of application....................................................................................5 4 Compliance: Key Elements of GDPR............................................................................................... 6 The definition of personal data................................................................................................................6 The rules for obtaining valid consent.......................................................................................................7 4.1 Data Protection Officer (DPO) Appointment Requirements............................................................7 4.2 Mandatory Data Protection Impact Assessments (DPIAs) ...............................................................8 4.3 Data breach notification requirements............................................................................................8 4.4 Data Control and the right to be forgotten......................................................................................8 Technical and organizational security measures .....................................................................................9 Privacy by default and by design..............................................................................................................9 5 GDPR and Customer Identity Management ................................................................................. 10 Business requirements...........................................................................................................................10 Principles to implement GDPR Requirements .......................................................................................11 Finding the right balance........................................................................................................................12 6 Summary and Recommendations................................................................................................ 13 7 Copyright ................................................................................................................................... 13
KuppingerCole Whitepaper Compliance: The GDPR and Customer Identity Management Report No.: 72601 Page 3 of 14 1 Executive Summary With the upcoming EU (European Union) GDPR, data protection and privacy requirements will change, requiring that organizations take appropriate action. The GDPR has a very broad scope, and is thus relevant not only to organizations within the EU, but also to organizations processing data of consumers located within the EU. The GDPR arose as a harmonization instrument in the field of data protection within the EU Member States. The rapid development of new technologies has revealed the necessity to update the current data protection framework in a way that addresses today’s reality with social networks and big data technologies. The requirements for maintaining consumers’ privacy will be significantly more stringent through the new framework. As a EU directive, the GDPR overrides local regulations, which will subsequently need to be adapted. There are a variety of new regulatory elements, including aspects such as mandatory consent, definition of purpose for the use of personal data, and the right to be forgotten. To understand the impact that the GDPR has on Customer Identity Management and the processing of customer data – which goes well beyond Customer Identity Management and also affects CRM, ERP, and other business systems – it is important to understand the key regulatory elements of the new law. From a customer data perspective, it becomes ever more important to manage customer identities in an efficient and well thought-out manner. The fundamental challenge is that customers have significantly more rights than they ever had with any data protection regulation in the EU before. Thus, being able to identify the customer – even when he is using different login credentials over time – is important not only from a business perspective, but also from a compliance perspective. Obviously, meeting the changing requirements is easier when various login credentials in use are correctly linked to a single person. Beyond that, managing and respecting the user’s consent, his preferences, opt-ins and opt-outs across all touchpoints becomes mandatory with the EU GDPR. Customer Identity Management is about front-end challenges such as understanding the unique identity of a customer, but also challenges such as enforcing consent decisions across all back-end systems. From a technical perspective, the essence of the regulation can be framed in a single sentence: Rely on platforms, not on coding The days of constructing every customer-facing application and portal independently, with separate identity management for each, are past. Efficiently handling customer identities, their consent, and their context, to support business agility and to fulfil regulatory compliance requirements mandates using a dedicated Customer Identity Management platform.
KuppingerCole Whitepaper Compliance: The GDPR and Customer Identity Management Report No.: 72601 Page 4 of 14 2 Research Highlights ● The upcoming EU GDPR, planned to go into effect May 2018, changes data protection and privacy requirements – organizations must take action now ● Obtaining user consent for the purposes of personal data usage and managing proof of consent are major elements ● Various principles such as the right to be forgotten and the right to revoke consent will be implemented ● Organizations must improve their capability to manage user identities, consent, and context 3 The General Data Protection Regulation (GDPR) The upcoming EU GDPR adds a number of new requirements for organizations dealing with personal data, where personal data also includes information that allows indirect identification of customers. The changes to the EU GDPR mandate that organizations take actions to comply with that regulation. With the upcoming EU (European Union) GDPR, data protection and privacy requirements will change, requiring that organizations take appropriate action. The GDPR has a very broad scope, and thus is relevant not only to organizations within the EU, but also to organizations processing data of consumers who are located within the EU. Understanding the scope, content, and impact of the EU GDPR is essential for understanding the concrete implications for organizations when dealing with Personally Identifiable Information (PII) in its broadest sense. Of particular importance is the way organizations must handle consumer data in the future. History and context: Why the GDPR was needed The GDPR arises as a harmonization instrument in the field of data protection within the EU Member States. The rapid development of new technologies has revealed the necessity to update the current data protection framework in a way that also addresses the new realities of the digital economy, such as the near ubiquitous use of big data or the role social networks today play in communication and collaboration. Consumers’ privacy will be enforced through the new framework. As a EU directive, the GDPR overrides local regulations, which will subsequently need to be adapted. While the GDPR strengthens overall data protection requirements in EU Member States, it also harmonizes various existing regulations. Having more consistent data protection regulations across all EU Member States than is the case today will make it easier for organizations to comply.
KuppingerCole Whitepaper Compliance: The GDPR and Customer Identity Management Report No.: 72601 Page 5 of 14 Existing framework The Data Protection Directive 95/46/EC and the Directive on Privacy and Electronic Communications 2002/58/EC (E-Privacy Directive) constitute the current framework regarding personal data protection. The current Data Protection Directive dates from 1995. Back then, the Internet was still in its early days. There were no smartphones and no social networks existed at all. Big Data was still small and had far from widespread adoption. The EU GDPR tries to catch up with the changes of the last 20+ years while setting a standard for the upcoming years. Thus, the gap between the former directive, which could be overridden to some extent at member state level, and the new EU GDPR, is quite significant. EU Data Protection Directive The EU Commission adopted the Data Protection Directive in order to harmonize certain aspects established in the EU for the processing of personal data by data controllers (persons or organizations who decide how and why personal data is processed) and data processors (persons or organizations who process data on behalf of data controllers). However, certain relevant aspects, such as the obligation to: appoint a Data Protection Officer; register the IT Systems in use with the competent Authority; meet consent requirements, and so on, remained different between various Member States. This highlighted the necessity to update the existing framework in order to have a higher level of harmonization within the EU, and to continue ensuring an adequate level of personal data protection. E-Privacy Directive The E-Privacy Directive complements the GDPR and imposes specific requirements regarding how customers’ personal data is stored and collected by internet or telecommunications providers. A formally reviewed draft of the E-Privacy Directive that is in line with the new scope of the GDPR is expected soon. However, as pointed out, this specific directive only applies to certain defined industries. Implementation period and scope of application Organizations have a two-year time period, until May 25th, 2018, to implement the changes introduced by the GDPR. Otherwise, significant fines may be imposed to organizations that have not reached the minimum data protection level imposed by the new framework. This is a rather short period of time, given that the GDPR might require significant changes to existing software implementations that are handling data within the scope of the regulation. Simply said: Continuing to do business with EU customers requires full compliance with the EU GDPR One of the most interesting aspects of the GDPR is its broad scope. The GDPR is applicable to all data controllers and data processors established in the EU, regardless of the location of the processing. But it also applies to data controllers and processors established outside the EU, if the data subjects (whose personal data is being processed) are located in the EU and the processing activities relate to the
KuppingerCole Whitepaper Compliance: The GDPR and Customer Identity Management Report No.: 72601 Page 6 of 14 offering of goods or services to EU data subjects or to the monitoring of their behaviour, if that behaviour takes place in the EU. This concretely means that every organization worldwide that is processing data of EU customers must comply with the EU GDPR. Simply locating data centres outside of the EU and continuing as is will not be sufficient. When it comes to dealing with customer data, the other theoretical option of simply not serving EU customers most likely won’t be an option for most organizations. Once again: Continuing to do business with EU customers requires full compliance with the EU GDPR. 4 Compliance: Key Elements of GDPR There are a variety of new rules in place. These include the need for consent per purpose; breach notification requirements; and principles such as the right to be forgotten. Not everything is new, but, overall, the regulatory requirements are increasing significantly. To understand the impact that the GDPR has on Customer Identity Management and the processing of customer data – which goes well beyond Customer Identity Management and affects CRM, ERP and other business systems – it is important to understand the key regulatory elements of the GDPR. The definition of personal data The GDPR applies to any processing operation that involves personal data. Personal data is any information related to an identified person or that allows organisations to identify a natural person, directly or indirectly. A person can be identifiable by name, an identification number, location data, online identifiers or factors related to the physical, physiological, genetic, mental, economic cultural or social identity of that person. Customer data may refer to their bank account, IP-address, login data, consuming habits that identify the individual, and more. This definition is very broad, far broader than traditional definitions of PII. For instance, the definition includes all tracking data that may allow the identification of an individual. In particular the aspect of “identifying indirectly” is of importance, given that this is a very broad definition. In fact, all data collected via the use of cookies, for instance, should be considered personal data that is in the scope of the GDPR. Implication: To meet these new requirements, it’s vital to have a “360-degree view” of each customer and all the data associated with them. This calls for advanced profile management and the ability to unify a wide variety of attributes and build accurate and complete profiles.
KuppingerCole Whitepaper Compliance: The GDPR and Customer Identity Management Report No.: 72601 Page 7 of 14 The rules for obtaining valid consent Unless any other legal basis for processing personal data is in place, such as a contract or an obligation imposed by law, consent is required prior to processing personal data. Consent will be deemed to be valid if it is freely given, informed, unambiguous and consists of a statement or a clear affirmative action. If the data is used for several purposes, the individual should give his/her consent for each purpose. From a marketing and customer identity perspective, this is about such aspects as consent to collect data via cookies or other browser activities, opt-in and opt-out options, and so on. The most important aspects are that consent must be given per-purpose and that consent must be given in an “informed” way. In tendency, organizations processing and storing personal data will need to be more clear about the purpose of collecting data. In the end, many people will give their consent because they want to use a particular service. This also involves proof of consent. There is a requirement to provide evidence as to which exact terms each user has given consent for, and technical proof that the user did, in fact, agree. Consent should be given per-purpose and the provider must provide “proof of consent” These requirements quickly become complex in large organizations, where users have multiple channels of access. Having a unique view on the identity of the consumer or customer and managing his preferences and consent uniquely is critical for meeting this requirement. Implication: In order to handle new consent requirements, flexibility in the identity management system is necessary to enable customized registration and login flows that are compliant for each region wherein the data controller is serving customers. 4.1 Data Protection Officer (DPO) Appointment Requirements Currently, only a few countries regulate the appointment of a DPO. Under the GDPR, this will change fundamentally. Organizations will have the obligation to appoint a DPO, wherever the processing involves a large scale of special categories of personal data, or a systematic monitoring of individuals takes place. The appointment of the DPO should be based on his/her professional qualities and expert knowledge on data protection. This position can be held either by a member of the organization or by an external professional. A single DPO may be appointed for a group of companies. Implication: Organizations musts evaluate whether they have to appoint a DPO and free up sufficient budget. In particular, they will have to decide whether they prefer relying on an internal or external DPO.
KuppingerCole Whitepaper Compliance: The GDPR and Customer Identity Management Report No.: 72601 Page 8 of 14 4.2 Mandatory Data Protection Impact Assessments (DPIAs) As part of the risk-based approach of the GDPR, it will be obligatory to conduct DPIAs if the processing in question is likely to result in high risk for the rights and freedoms of individuals due to the nature, scope, context or purposes of the processing operations. This is the case in certain scenarios: ● If special categories of personal data defined in the GDPR are processed on a large scale ● If a systematic evaluation of personal aspects related to natural persons takes place that is carried out using automated decisions ● if a systematic monitoring of publicly accessible areas takes place Each DPIA must describe ● All processing operations and their purposes ● The necessity and scale of each process in relation to its intended purpose ● The potential risks to the rights and freedoms of the data subjects ● The technical and organizational measures that will be implemented Implication: Beyond the necessity of a DPO, there is the need for defined assessments in a variety of use cases. Internal audit must adapt its controls to these new requirements. 4.3 Data breach notification requirements When a data breach impacting PII occurs, the appropriate Supervisory Authority must be notified by the data controller within 72 hours of being made aware of the breach. If customer data that may impact the rights and freedoms of consumers is affected by the breach, those consumers must also be notified. Implication: Every organization must define and implement a process for both breach notification and incident management, for handling incidents in an adequate and compliant manner. It’s important to ensure that every vendor providing technology in a multiple solution stack can respond in a timely manner to data breaches, and has a well-designed strategy for numerous contingencies. 4.4 Data Control and the right to be forgotten The right to be forgotten has been recognized as an inherent right of data subjects. It stipulates that individuals are entitled to request that data controllers erase their data upon request without undue delay. However, this right can be exercised only if certain requirements are met. For example, if the personal data is no longer necessary for the purposes for which it was collected, or the data subject withdraws his or her consent. There is even more than the right to be forgotten – data control is becoming complex While there have already been many discussions, as well as law suits, regarding the right to be forgotten, it will soon become more important. Organizations are well-advised to prepare for the demand from customers to delete their data.
KuppingerCole Whitepaper Compliance: The GDPR and Customer Identity Management Report No.: 72601 Page 9 of 14 However, the right to be forgotten is not the only requirement in this category. New consumer rights regarding control of user data are much broader, and also include the right to freeze data processing, which is a new and quite complicated requirement to meet. Data subjects can request that the processing of their data be frozen. Another important new right is the right to export personal data and edit it. Again, this is not easy to implement and can mean significant workloads for organizations dealing with personal data. Implication: To ensure the ability of consumers to maintain control over their personal data, advanced profile management should be employed, with appropriate end user preference management options for freezing processing of, editing, exporting and deleting data. Technical and organizational security measures In addition to the legal requirements mentioned above, it is also essential that adequate technical and organizational security measures are implemented according to the nature of the processing. These measures may include pseudonymization and anonymization of personal data, confidentiality, integrity, and resilience of processing systems, the ability to respond appropriately to incidents, and a regular assessment of the efficacy of implemented technical and organizational security measures, for example through regular IT-Security and Data Protection Audits. Specifically, technical and organizational security measures should regulate access rights, admission control, transmission control, input control, availability control and control over commissioned data processing. Again, these regulatory requirements can result in rather complex technical requirements that must be met by organizations controlling and processing personal data. Technical and organizational security measures are best implemented following established standards such as ISO27018. Implication: It’s important to verify that any solution being leveraged to capture and manage customer data maintains security practices and infrastructure that are industry certified for the appropriate standards. Privacy by default and by design Finally, there is the requirement of Privacy by Default and by Design. Privacy by Design is a concept that has been discussed for several years now. Basically, this is about creating applications in a way that allows for flexibly enforcing privacy requirements, depending on both regulatory requirements and customer consent. Privacy by Default, on the other hand, is about having privacy enabled by default, not as something that can be achieved by customers only in a cumbersome way. In sum, there are a significant number of requirements being introduced by the EU GDPR. While not everything is new or even uncommon, it nonetheless requires organizations that are controlling and processing personal data to rethink the way they are dealing with such data.
KuppingerCole Whitepaper Compliance: The GDPR and Customer Identity Management Report No.: 72601 Page 10 of 14 Implication: When assessing readiness for the GDPR, be sure that any solution in the stack that collects and manages customer data can meet the specific requirements for the customer use case, especially data privacy requirements. In the case of end-to-end solutions, be sure that they maintain strong relationships with a range of technology partners that can easily integrate with their platform. Move away from coding for customization and rely on standard technologies. 5 GDPR and Customer Identity Management Finding the balance between business and compliance requirements becomes a challenge in the context of the EU GDPR. Organizations have to manage customer (and other personal data) in a consistent way, moving away from point solutions and building a strong foundation for Customer or Identity Management. The focus of the EU GDPR is not only about customer data, although many of the new requirements target social networks, search engines, eCommerce, and other customer-facing businesses. However, it is important to bear in mind that the EU GDPR affects all personal data, including that of employees or business partners. Organizations need one view of customers’ identities, their consent, and their preferences – across all touchpoints From a consumer data perspective, it becomes ever more important to manage customer identities in an efficient and well thought-out manner. The fundamental challenge is that consumers have significantly more rights than they ever had with any data protection regulation in the EU before. Thus, being able to identify the customer – even when he is using different login credentials over time – is not only important from a business perspective, but also from a compliance perspective. Obviously, meeting the changing requirements is easier when various login credentials in use are correctly linked to a single person. Business requirements The main requirement for implementing a Customer Identity & Access Management (CIAM) solution are business-driven. While the EU GDPR is a business driver, due to the need to comply with the upcoming regulation, there are other reasons that drive the adoption of Customer Identity Management. In particular, as part of the so-called Digital Transformation, business models are changing, leading to a closer online interaction with customers than ever before. Data collected by things and devices is one important aspect of that evolution. Building long-term relationships with customers in a time of rapid business model changes, as well as business partnerships, requires that customers are identified, regardless of the login credentials they use. Understanding customer activities and behaviours is also essential for optimally serving the customer.
KuppingerCole Whitepaper Compliance: The GDPR and Customer Identity Management Report No.: 72601 Page 11 of 14 When doing so, a number of requirements must be met: ● Customer-facing solutions must satisfy the customer, in terms of usability and ease-of-use, starting with the support of a broad variety of authenticators (traditional registration, social login, biometrics, and so on) and a seamless overall customer experience ● Solutions must be built in a way that allows for rapid adaptation to changing business requirements – time-to-market is a critical success factor for every business ● Data models for customer data must be dynamic and adaptable, allowing businesses to store “what is needed” for today’s and tomorrow’s business requirements ● Solutions must be highly scalable, particularly during peak times ● There must be one view of the customer across all customer-facing systems, but also flexible integration with a multitude of backend systems ● There must be comprehensive support for managing user consent, opt-ins, and preferences, and respecting these across every touchpoint the customer has with the organization Customer-facing applications must be more flexible than ever. The days of creating independent solutions that manage their own identities, implement their own approach to customer journeys, and exist in isolation from other systems are long past. Customer identities are too important for businesses in the Digital Age, and from a regulatory viewpoint — in the light of the upcoming EU GDPR – the need for a unified, standardized Customer Identity Management infrastructure is no longer just an optional and attractive approach, but a necessary one. Principles to implement GDPR Requirements The EU GDPR formulates, as has been stated above, a number of mandatory principles. Customer Identity Management will not solve all of these requirements, but greatly supports compliance with these principles. Overall, many of the essential principles of the EU GDPR mandate that organisations have a good knowledge of customers’ identities. Knowing the person, being able to identify them when they connect to systems, and in particular having one view of that person and their activities across multiple systems makes it far easier to comply with many of the principles and requirements of the EU GDPR such as: ● Consent and proof of consent ● Purpose limitation ● Right of erasure and to be forgotten ● Right to restriction of processing ● Right of data portability and right to edit data ● Notice obligations ● Safeguards for automated decision making, including profiling For consent, it is recommended to not only have an IP address but knowledge about the person that gives consent (or does not). The same holds true for purpose limitation – the individual must agree not only to the purpose of use for their personal data, but must also be able to restrict this, as part of the right of restriction of processing.
KuppingerCole Whitepaper Compliance: The GDPR and Customer Identity Management Report No.: 72601 Page 12 of 14 The right to delete data and to be forgotten, as well as the right of data portability, require that personal data be mapped to an individual. Thus, managing customer identities becomes more important than ever before. Organizations will require a whole “consent management system” Organizations will require a whole “consent management system” as part of their Customer Identity Management strategy. Changes to social network terms of service might require updated consent. The system must also track and keep a record of consent per-user for each term. It is not enough to simply store identities. Organizations must transparently make clear what data is stored and how it is being used. This requires a transparent mechanism for self-service control over identity profiles. It requires new forms of user journeys that strike a balance between the new regulatory requirements and maximized retention rates. Also, these capabilities are needed to fulfil requirements such as notice obligations or safeguards for automated decision making, including the right of individuals to be informed about how decisions are made. Finding the right balance The challenge of the future is finding a balance between business enablement on one hand and privacy and security on the other. Meeting regulatory requirements is a must, but that must not happen at the expense of business requirements (unless the business model stands in stark contrast to the GDPR). Furthermore, many implementations will not serve only EU customers or run in the EU exclusively, so other regulations might apply. Thus, the system should be flexible, to provide different experiences to different territories. This means that EU regulatory requirements should only affect the user experience of EU users, while users in other territories have an experience tailored to the regulatory requirements there. From a business perspective, the goal should be about satisfying market demand, delivering a great user experience, supporting ever-changing business models, and implementing agile solutions that can be easily adapted to new requirements. Doing so with these new, stronger regulatory requirements requires flexible solutions that allow managing users’ identities and enabling the required amount of user control and consent, but also the security of personal data, which also is part of the GDPR regulation. Providing data to commercial platforms is a deliberate act. Models that exchange data for value are still allowed, but the principles listed in the section above must be met. In particular users must be in control and be able to manage their personal data and be able to revoke consent regarding its use.
KuppingerCole Whitepaper Compliance: The GDPR and Customer Identity Management Report No.: 72601 Page 13 of 14 6 Summary and Recommendations The EU GDPR is a fact. It is a regulation that organizations must comply with when handling data of persons residing in the EU, and has a fairly broad and, in essence, global scope. There are new requirements and principles in place. These require not only better controls and overall knowledge regarding how an organization handles customer identities, but also better management of personal data, so that, for example, data can be deleted upon request when a user revokes consent. From the perspective of dealing with personal data, the most important recommendations are 1) Inform the customers clearly and in simple statements about what data you collect and use for which purpose 2) Request consent wherever GDPR mandates – and in cases where the regulations are not clear — it is better to obtain consent than to not 3) Define a well thought-out customer journey, including agreements to terms & conditions, consent, and all other agreements between your organization and the customer 4) Select holistic Customer IAM products that support opt-in, opt-out and related capabilities out-of-the-box, and also support easy implementation of regulatory requirements beyond the GDPR such as those of other regions or social network policies 5) Enable customers to use their digital identity of choice From a technical perspective, once again, the essence can be framed in a single sentence: Rely on platforms, not on coding The days of constructing each and every customer-facing application and portal independently, with separate identity management, are past. Efficiently handling customer identities, supporting business agility and fulfilling regulatory compliance requirements mandates using a dedicated Customer Identity Management platform. 7 Copyright © 2016 Kuppinger Cole Ltd. All rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole’s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publication shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
Kuppinger Cole Ltd. Sonnenberger Str. 16 65193 Wiesbaden | Germany Phone +49 (211) 23 70 77 – 0 Fax +49 (211) 23 70 77 – 11 www.kuppingercole.com KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in relevant decision making processes. As a leading analyst company KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business. KuppingerCole, founded in 2004, is a global Analyst Company headquartered in Europe focusing on Information Security and Identity and Access Management (IAM). KuppingerCole stands for expertise, thought leadership, outstanding practical relevance, and a vendor-neutral view on the information security market segments, covering all relevant aspects like: Identity and Access Management (IAM), Governance & Auditing Tools, Cloud and Virtualization Security, Information Protection, Mobile as well as Software Security, System and Network Security, Security Monitoring, Analytics & Reporting, Governance, and Organization & Policies. For further information, please contact clients@kuppingercole.com The Future of Information Security – Today

Recommended

Connect, Collect, Convert
Connect, Collect, ConvertConnect, Collect, Convert
Connect, Collect, ConvertGigya
 
Managing Consumer Data Privacy
Managing Consumer Data PrivacyManaging Consumer Data Privacy
Managing Consumer Data PrivacyGigya
 
GDPR and Security Culture: Measuring effectiveness
GDPR and Security Culture: Measuring effectivenessGDPR and Security Culture: Measuring effectiveness
GDPR and Security Culture: Measuring effectivenessKai Roer
 
GDPR practical info session for development
GDPR practical info session for developmentGDPR practical info session for development
GDPR practical info session for developmentTomppa Järvinen
 
White Paper: Don't Let Your Corporate Strategy be Hostage to Your IT Strategy
White Paper: Don't Let Your Corporate Strategy be Hostage to Your IT StrategyWhite Paper: Don't Let Your Corporate Strategy be Hostage to Your IT Strategy
White Paper: Don't Let Your Corporate Strategy be Hostage to Your IT StrategyGigya
 
GDPR Implications Customer Identity Management - German
GDPR Implications Customer Identity Management - GermanGDPR Implications Customer Identity Management - German
GDPR Implications Customer Identity Management - GermanGigya
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for TechiesLilian Edwards
 
UKN Group Ltd Corporate Overview
UKN Group Ltd Corporate OverviewUKN Group Ltd Corporate Overview
UKN Group Ltd Corporate OverviewUKNGroupLtd
 

Recommended

Connect, Collect, Convert
Connect, Collect, ConvertConnect, Collect, Convert
Connect, Collect, ConvertGigya
 
Managing Consumer Data Privacy
Managing Consumer Data PrivacyManaging Consumer Data Privacy
Managing Consumer Data PrivacyGigya
 
GDPR and Security Culture: Measuring effectiveness
GDPR and Security Culture: Measuring effectivenessGDPR and Security Culture: Measuring effectiveness
GDPR and Security Culture: Measuring effectivenessKai Roer
 
GDPR practical info session for development
GDPR practical info session for developmentGDPR practical info session for development
GDPR practical info session for developmentTomppa Järvinen
 
White Paper: Don't Let Your Corporate Strategy be Hostage to Your IT Strategy
White Paper: Don't Let Your Corporate Strategy be Hostage to Your IT StrategyWhite Paper: Don't Let Your Corporate Strategy be Hostage to Your IT Strategy
White Paper: Don't Let Your Corporate Strategy be Hostage to Your IT StrategyGigya
 
GDPR Implications Customer Identity Management - German
GDPR Implications Customer Identity Management - GermanGDPR Implications Customer Identity Management - German
GDPR Implications Customer Identity Management - GermanGigya
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for TechiesLilian Edwards
 
UKN Group Ltd Corporate Overview
UKN Group Ltd Corporate OverviewUKN Group Ltd Corporate Overview
UKN Group Ltd Corporate OverviewUKNGroupLtd
 
Identity and Access Management and electronic Identities _ Belgian Federal Go...
Identity and Access Management and electronic Identities _ Belgian Federal Go...Identity and Access Management and electronic Identities _ Belgian Federal Go...
Identity and Access Management and electronic Identities _ Belgian Federal Go...E-Government Center Moldova
 
Case Study: Enterprise Media Company
Case Study: Enterprise Media CompanyCase Study: Enterprise Media Company
Case Study: Enterprise Media CompanyGigya
 
White Paper: Managing consumer data privacy with Gigya (German)
White Paper: Managing consumer data privacy with Gigya (German)White Paper: Managing consumer data privacy with Gigya (German)
White Paper: Managing consumer data privacy with Gigya (German)Gigya
 
White Paper: Managing consumer data privacy with Gigya (French)
White Paper: Managing consumer data privacy with Gigya (French)White Paper: Managing consumer data privacy with Gigya (French)
White Paper: Managing consumer data privacy with Gigya (French)Gigya
 
White Paper: 5 Ways Airports Can Drive Non-Aviation Revenue
White Paper: 5 Ways Airports Can Drive Non-Aviation RevenueWhite Paper: 5 Ways Airports Can Drive Non-Aviation Revenue
White Paper: 5 Ways Airports Can Drive Non-Aviation RevenueGigya
 
White Paper: Marketing in a World without Cookies
White Paper: Marketing in a World without CookiesWhite Paper: Marketing in a World without Cookies
White Paper: Marketing in a World without CookiesGigya
 
White Paper: The 2015 State of Consumer Privacy & Personalization
White Paper: The 2015 State of Consumer Privacy & PersonalizationWhite Paper: The 2015 State of Consumer Privacy & Personalization
White Paper: The 2015 State of Consumer Privacy & PersonalizationGigya
 
White Paper: Bridging the Gap between Marketing & IT with Customer Identity &...
White Paper: Bridging the Gap between Marketing & IT with Customer Identity &...White Paper: Bridging the Gap between Marketing & IT with Customer Identity &...
White Paper: Bridging the Gap between Marketing & IT with Customer Identity &...Gigya
 
White Paper: Achieving A Single Customer View: The Holy Grail for Marketers
White Paper: Achieving A Single Customer View: The Holy Grail for MarketersWhite Paper: Achieving A Single Customer View: The Holy Grail for Marketers
White Paper: Achieving A Single Customer View: The Holy Grail for MarketersGigya
 
Case Study: DC Thomson Media Creates a Single Customer View Across Multiple D...
Case Study: DC Thomson Media Creates a Single Customer View Across Multiple D...Case Study: DC Thomson Media Creates a Single Customer View Across Multiple D...
Case Study: DC Thomson Media Creates a Single Customer View Across Multiple D...Gigya
 
Case Study: STV Boosts Viewer Engagement and Campaign Yields with Gigya
Case Study: STV Boosts Viewer Engagement and Campaign Yields with GigyaCase Study: STV Boosts Viewer Engagement and Campaign Yields with Gigya
Case Study: STV Boosts Viewer Engagement and Campaign Yields with GigyaGigya
 
White Paper: Gigya's Information Security and Data Privacy Practices
White Paper: Gigya's Information Security and Data Privacy PracticesWhite Paper: Gigya's Information Security and Data Privacy Practices
White Paper: Gigya's Information Security and Data Privacy PracticesGigya
 
Gigya und die Erfüllung globaler behördlicher Auflagen (Global Regulatory Com...
Gigya und die Erfüllung globaler behördlicher Auflagen (Global Regulatory Com...Gigya und die Erfüllung globaler behördlicher Auflagen (Global Regulatory Com...
Gigya und die Erfüllung globaler behördlicher Auflagen (Global Regulatory Com...Gigya
 
Gigya's China Data Center - Data Sheet
Gigya's China Data Center - Data SheetGigya's China Data Center - Data Sheet
Gigya's China Data Center - Data SheetGigya
 
The Chutes and Ladders of Customer Identity
The Chutes and Ladders of Customer IdentityThe Chutes and Ladders of Customer Identity
The Chutes and Ladders of Customer IdentityGigya
 
White Paper: DIY vs CIAM
White Paper: DIY vs CIAMWhite Paper: DIY vs CIAM
White Paper: DIY vs CIAMGigya
 
Data Sheet: Gigya and Global Regulatory Compliance
Data Sheet: Gigya and Global Regulatory ComplianceData Sheet: Gigya and Global Regulatory Compliance
Data Sheet: Gigya and Global Regulatory ComplianceGigya
 
White Paper: 2017 Predictions - French
White Paper: 2017 Predictions - FrenchWhite Paper: 2017 Predictions - French
White Paper: 2017 Predictions - FrenchGigya
 
White Paper: 2017 Predictions - German
White Paper: 2017 Predictions - GermanWhite Paper: 2017 Predictions - German
White Paper: 2017 Predictions - GermanGigya
 
Case study - American Kennel Club
Case study - American Kennel ClubCase study - American Kennel Club
Case study - American Kennel ClubGigya
 
Data Sheet: Corporate Overview
Data Sheet: Corporate OverviewData Sheet: Corporate Overview
Data Sheet: Corporate OverviewGigya
 
Gigya Infographic - Death Of A Password
Gigya Infographic - Death Of A PasswordGigya Infographic - Death Of A Password
Gigya Infographic - Death Of A PasswordGigya
 

More Related Content

Viewers also liked

Identity and Access Management and electronic Identities _ Belgian Federal Go...
Identity and Access Management and electronic Identities _ Belgian Federal Go...Identity and Access Management and electronic Identities _ Belgian Federal Go...
Identity and Access Management and electronic Identities _ Belgian Federal Go...E-Government Center Moldova
 
Case Study: Enterprise Media Company
Case Study: Enterprise Media CompanyCase Study: Enterprise Media Company
Case Study: Enterprise Media CompanyGigya
 
White Paper: Managing consumer data privacy with Gigya (German)
White Paper: Managing consumer data privacy with Gigya (German)White Paper: Managing consumer data privacy with Gigya (German)
White Paper: Managing consumer data privacy with Gigya (German)Gigya
 
White Paper: Managing consumer data privacy with Gigya (French)
White Paper: Managing consumer data privacy with Gigya (French)White Paper: Managing consumer data privacy with Gigya (French)
White Paper: Managing consumer data privacy with Gigya (French)Gigya
 
White Paper: 5 Ways Airports Can Drive Non-Aviation Revenue
White Paper: 5 Ways Airports Can Drive Non-Aviation RevenueWhite Paper: 5 Ways Airports Can Drive Non-Aviation Revenue
White Paper: 5 Ways Airports Can Drive Non-Aviation RevenueGigya
 
White Paper: Marketing in a World without Cookies
White Paper: Marketing in a World without CookiesWhite Paper: Marketing in a World without Cookies
White Paper: Marketing in a World without CookiesGigya
 
White Paper: The 2015 State of Consumer Privacy & Personalization
White Paper: The 2015 State of Consumer Privacy & PersonalizationWhite Paper: The 2015 State of Consumer Privacy & Personalization
White Paper: The 2015 State of Consumer Privacy & PersonalizationGigya
 
White Paper: Bridging the Gap between Marketing & IT with Customer Identity &...
White Paper: Bridging the Gap between Marketing & IT with Customer Identity &...White Paper: Bridging the Gap between Marketing & IT with Customer Identity &...
White Paper: Bridging the Gap between Marketing & IT with Customer Identity &...Gigya
 
White Paper: Achieving A Single Customer View: The Holy Grail for Marketers
White Paper: Achieving A Single Customer View: The Holy Grail for MarketersWhite Paper: Achieving A Single Customer View: The Holy Grail for Marketers
White Paper: Achieving A Single Customer View: The Holy Grail for MarketersGigya
 

Viewers also liked (9)

Identity and Access Management and electronic Identities _ Belgian Federal Go...
Identity and Access Management and electronic Identities _ Belgian Federal Go...Identity and Access Management and electronic Identities _ Belgian Federal Go...
Identity and Access Management and electronic Identities _ Belgian Federal Go...
 
Case Study: Enterprise Media Company
Case Study: Enterprise Media CompanyCase Study: Enterprise Media Company
Case Study: Enterprise Media Company
 
White Paper: Managing consumer data privacy with Gigya (German)
White Paper: Managing consumer data privacy with Gigya (German)White Paper: Managing consumer data privacy with Gigya (German)
White Paper: Managing consumer data privacy with Gigya (German)
 
White Paper: Managing consumer data privacy with Gigya (French)
White Paper: Managing consumer data privacy with Gigya (French)White Paper: Managing consumer data privacy with Gigya (French)
White Paper: Managing consumer data privacy with Gigya (French)
 
White Paper: 5 Ways Airports Can Drive Non-Aviation Revenue
White Paper: 5 Ways Airports Can Drive Non-Aviation RevenueWhite Paper: 5 Ways Airports Can Drive Non-Aviation Revenue
White Paper: 5 Ways Airports Can Drive Non-Aviation Revenue
 
White Paper: Marketing in a World without Cookies
White Paper: Marketing in a World without CookiesWhite Paper: Marketing in a World without Cookies
White Paper: Marketing in a World without Cookies
 
White Paper: The 2015 State of Consumer Privacy & Personalization
White Paper: The 2015 State of Consumer Privacy & PersonalizationWhite Paper: The 2015 State of Consumer Privacy & Personalization
White Paper: The 2015 State of Consumer Privacy & Personalization
 
White Paper: Bridging the Gap between Marketing & IT with Customer Identity &...
White Paper: Bridging the Gap between Marketing & IT with Customer Identity &...White Paper: Bridging the Gap between Marketing & IT with Customer Identity &...
White Paper: Bridging the Gap between Marketing & IT with Customer Identity &...
 
White Paper: Achieving A Single Customer View: The Holy Grail for Marketers
White Paper: Achieving A Single Customer View: The Holy Grail for MarketersWhite Paper: Achieving A Single Customer View: The Holy Grail for Marketers
White Paper: Achieving A Single Customer View: The Holy Grail for Marketers
 

More from Gigya

Case Study: DC Thomson Media Creates a Single Customer View Across Multiple D...
Case Study: DC Thomson Media Creates a Single Customer View Across Multiple D...Case Study: DC Thomson Media Creates a Single Customer View Across Multiple D...
Case Study: DC Thomson Media Creates a Single Customer View Across Multiple D...Gigya
 
Case Study: STV Boosts Viewer Engagement and Campaign Yields with Gigya
Case Study: STV Boosts Viewer Engagement and Campaign Yields with GigyaCase Study: STV Boosts Viewer Engagement and Campaign Yields with Gigya
Case Study: STV Boosts Viewer Engagement and Campaign Yields with GigyaGigya
 
White Paper: Gigya's Information Security and Data Privacy Practices
White Paper: Gigya's Information Security and Data Privacy PracticesWhite Paper: Gigya's Information Security and Data Privacy Practices
White Paper: Gigya's Information Security and Data Privacy PracticesGigya
 
Gigya und die Erfüllung globaler behördlicher Auflagen (Global Regulatory Com...
Gigya und die Erfüllung globaler behördlicher Auflagen (Global Regulatory Com...Gigya und die Erfüllung globaler behördlicher Auflagen (Global Regulatory Com...
Gigya und die Erfüllung globaler behördlicher Auflagen (Global Regulatory Com...Gigya
 
Gigya's China Data Center - Data Sheet
Gigya's China Data Center - Data SheetGigya's China Data Center - Data Sheet
Gigya's China Data Center - Data SheetGigya
 
The Chutes and Ladders of Customer Identity
The Chutes and Ladders of Customer IdentityThe Chutes and Ladders of Customer Identity
The Chutes and Ladders of Customer IdentityGigya
 
White Paper: DIY vs CIAM
White Paper: DIY vs CIAMWhite Paper: DIY vs CIAM
White Paper: DIY vs CIAMGigya
 
Data Sheet: Gigya and Global Regulatory Compliance
Data Sheet: Gigya and Global Regulatory ComplianceData Sheet: Gigya and Global Regulatory Compliance
Data Sheet: Gigya and Global Regulatory ComplianceGigya
 
White Paper: 2017 Predictions - French
White Paper: 2017 Predictions - FrenchWhite Paper: 2017 Predictions - French
White Paper: 2017 Predictions - FrenchGigya
 
White Paper: 2017 Predictions - German
White Paper: 2017 Predictions - GermanWhite Paper: 2017 Predictions - German
White Paper: 2017 Predictions - GermanGigya
 
Case study - American Kennel Club
Case study - American Kennel ClubCase study - American Kennel Club
Case study - American Kennel ClubGigya
 
Data Sheet: Corporate Overview
Data Sheet: Corporate OverviewData Sheet: Corporate Overview
Data Sheet: Corporate OverviewGigya
 
Gigya Infographic - Death Of A Password
Gigya Infographic - Death Of A PasswordGigya Infographic - Death Of A Password
Gigya Infographic - Death Of A PasswordGigya
 
Case Study: International CPG Company
Case Study: International CPG CompanyCase Study: International CPG Company
Case Study: International CPG CompanyGigya
 
Case Study: Travel and Hospitality Company
Case Study: Travel and Hospitality CompanyCase Study: Travel and Hospitality Company
Case Study: Travel and Hospitality CompanyGigya
 
Case Study: Large Enterprise eCommerce Company
Case Study: Large Enterprise eCommerce CompanyCase Study: Large Enterprise eCommerce Company
Case Study: Large Enterprise eCommerce CompanyGigya
 
Gigya Corporate Overview - French Edition
Gigya Corporate Overview - French EditionGigya Corporate Overview - French Edition
Gigya Corporate Overview - French EditionGigya
 
Information Security and Data Privacy Practices
Information Security and Data Privacy PracticesInformation Security and Data Privacy Practices
Information Security and Data Privacy PracticesGigya
 
Russian Data Center
Russian Data CenterRussian Data Center
Russian Data CenterGigya
 
Gigya and Marketo
Gigya and MarketoGigya and Marketo
Gigya and MarketoGigya
 

More from Gigya (20)

Case Study: DC Thomson Media Creates a Single Customer View Across Multiple D...
Case Study: DC Thomson Media Creates a Single Customer View Across Multiple D...Case Study: DC Thomson Media Creates a Single Customer View Across Multiple D...
Case Study: DC Thomson Media Creates a Single Customer View Across Multiple D...
 
Case Study: STV Boosts Viewer Engagement and Campaign Yields with Gigya
Case Study: STV Boosts Viewer Engagement and Campaign Yields with GigyaCase Study: STV Boosts Viewer Engagement and Campaign Yields with Gigya
Case Study: STV Boosts Viewer Engagement and Campaign Yields with Gigya
 
White Paper: Gigya's Information Security and Data Privacy Practices
White Paper: Gigya's Information Security and Data Privacy PracticesWhite Paper: Gigya's Information Security and Data Privacy Practices
White Paper: Gigya's Information Security and Data Privacy Practices
 
Gigya und die Erfüllung globaler behördlicher Auflagen (Global Regulatory Com...
Gigya und die Erfüllung globaler behördlicher Auflagen (Global Regulatory Com...Gigya und die Erfüllung globaler behördlicher Auflagen (Global Regulatory Com...
Gigya und die Erfüllung globaler behördlicher Auflagen (Global Regulatory Com...
 
Gigya's China Data Center - Data Sheet
Gigya's China Data Center - Data SheetGigya's China Data Center - Data Sheet
Gigya's China Data Center - Data Sheet
 
The Chutes and Ladders of Customer Identity
The Chutes and Ladders of Customer IdentityThe Chutes and Ladders of Customer Identity
The Chutes and Ladders of Customer Identity
 
White Paper: DIY vs CIAM
White Paper: DIY vs CIAMWhite Paper: DIY vs CIAM
White Paper: DIY vs CIAM
 
Data Sheet: Gigya and Global Regulatory Compliance
Data Sheet: Gigya and Global Regulatory ComplianceData Sheet: Gigya and Global Regulatory Compliance
Data Sheet: Gigya and Global Regulatory Compliance
 
White Paper: 2017 Predictions - French
White Paper: 2017 Predictions - FrenchWhite Paper: 2017 Predictions - French
White Paper: 2017 Predictions - French
 
White Paper: 2017 Predictions - German
White Paper: 2017 Predictions - GermanWhite Paper: 2017 Predictions - German
White Paper: 2017 Predictions - German
 
Case study - American Kennel Club
Case study - American Kennel ClubCase study - American Kennel Club
Case study - American Kennel Club
 
Data Sheet: Corporate Overview
Data Sheet: Corporate OverviewData Sheet: Corporate Overview
Data Sheet: Corporate Overview
 
Gigya Infographic - Death Of A Password
Gigya Infographic - Death Of A PasswordGigya Infographic - Death Of A Password
Gigya Infographic - Death Of A Password
 
Case Study: International CPG Company
Case Study: International CPG CompanyCase Study: International CPG Company
Case Study: International CPG Company
 
Case Study: Travel and Hospitality Company
Case Study: Travel and Hospitality CompanyCase Study: Travel and Hospitality Company
Case Study: Travel and Hospitality Company
 
Case Study: Large Enterprise eCommerce Company
Case Study: Large Enterprise eCommerce CompanyCase Study: Large Enterprise eCommerce Company
Case Study: Large Enterprise eCommerce Company
 
Gigya Corporate Overview - French Edition
Gigya Corporate Overview - French EditionGigya Corporate Overview - French Edition
Gigya Corporate Overview - French Edition
 
Information Security and Data Privacy Practices
Information Security and Data Privacy PracticesInformation Security and Data Privacy Practices
Information Security and Data Privacy Practices
 
Russian Data Center
Russian Data CenterRussian Data Center
Russian Data Center
 
Gigya and Marketo
Gigya and MarketoGigya and Marketo
Gigya and Marketo
 

Recently uploaded

Human Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptxHuman Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptxfilippoluciani9
 
Chp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .pptChp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .pptzainabbkhaleeq123
 
CAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsCAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsAurora Consulting
 
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubham Wadhonkar
 
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhaiShashankKumar441258
 
LITERAL RULE OF INTERPRETATION - PRIMARY RULE
LITERAL RULE OF INTERPRETATION - PRIMARY RULELITERAL RULE OF INTERPRETATION - PRIMARY RULE
LITERAL RULE OF INTERPRETATION - PRIMARY RULEsreeramsaipranitha
 
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdfBPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdflaysamaeguardiano
 
一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书E LSS
 
Appeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdfAppeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdfPoojaGadiya1
 
Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881
Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881
Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881mayurchatre90
 
The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...James Watkins, III JD CFP®
 
Relationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdfRelationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdfKelechi48
 
INVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptxINVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptxnyabatejosphat1
 
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptxKEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptxRRR Chambers
 
PPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptxPPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptxRRR Chambers
 
PowerPoint - Legal Citation Form 1 - Case Law.pptx
PowerPoint - Legal Citation Form 1 - Case Law.pptxPowerPoint - Legal Citation Form 1 - Case Law.pptx
PowerPoint - Legal Citation Form 1 - Case Law.pptxca2or2tx
 
The doctrine of harmonious construction under Interpretation of statute
The doctrine of harmonious construction under Interpretation of statuteThe doctrine of harmonious construction under Interpretation of statute
The doctrine of harmonious construction under Interpretation of statuteDeepikaK245113
 
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptxCOPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptxRRR Chambers
 
589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdf589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdfSUSHMITAPOTHAL
 
一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书E LSS
 

Recently uploaded (20)

Human Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptxHuman Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptx
 
Chp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .pptChp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .ppt
 
CAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsCAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction Fails
 
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptx
 
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
 
LITERAL RULE OF INTERPRETATION - PRIMARY RULE
LITERAL RULE OF INTERPRETATION - PRIMARY RULELITERAL RULE OF INTERPRETATION - PRIMARY RULE
LITERAL RULE OF INTERPRETATION - PRIMARY RULE
 
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdfBPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
 
一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书
 
Appeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdfAppeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdf
 
Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881
Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881
Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881
 
The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...
 
Relationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdfRelationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdf
 
INVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptxINVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptx
 
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptxKEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
 
PPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptxPPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptx
 
PowerPoint - Legal Citation Form 1 - Case Law.pptx
PowerPoint - Legal Citation Form 1 - Case Law.pptxPowerPoint - Legal Citation Form 1 - Case Law.pptx
PowerPoint - Legal Citation Form 1 - Case Law.pptx
 
The doctrine of harmonious construction under Interpretation of statute
The doctrine of harmonious construction under Interpretation of statuteThe doctrine of harmonious construction under Interpretation of statute
The doctrine of harmonious construction under Interpretation of statute
 
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptxCOPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
 
589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdf589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdf
 
一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书
 

Compliance: The GDPR and Consumer Identity Management

  • 1. KuppingerCole Whitepaper Compliance: The GDPR and Consumer Identity Management Report No.: 72602 GDPR and Implications for Customer Identity Management With the upcoming EU GDPR (General Data Protection Regulation), the requirements for managing personal data will change. The scope of the regulation is broad and also affects organizations outside of the EU. Finding the balance between the new regulatory requirements on one hand and the new requirements of managing customers in the age of Digital Transformation mandates a shift from per-portal and per-application customer management to centralized Customer Identity Management platforms that support the balance between compliance, user consent, and optimally servicing the customer’s needs. Dr. Karsten Kinast kk@kuppingercole.com Martin Kuppinger mk@kuppingercole.com Commissioned by Related Research #71529 Executive View: Gigya Customer Identity Management Suite #72002 Whitepaper: Using Information Stewardship within Government to Protect PII #72006 Leadership Brief: Your customer identities: How to do them right #72015 Leadership Brief: Monetizing the Digital Transformation KuppingerCole WHITEPAPER by Dr. Karsten Kinast & Martin Kuppinger | September 2016
  • 2. KuppingerCole Whitepaper Compliance: The GDPR and Customer Identity Management Report No.: 72601 Page 2 of 14 Content 1 Executive Summary ...................................................................................................................... 3 2 Research Highlights ...................................................................................................................... 4 3 The General Data Protection Regulation (GDPR)............................................................................ 4 History and context: Why the GDPR was needed....................................................................................4 Existing framework...................................................................................................................................5 EU Data Protection Directive............................................................................................................5 E-Privacy Directive............................................................................................................................5 Implementation period and scope of application....................................................................................5 4 Compliance: Key Elements of GDPR............................................................................................... 6 The definition of personal data................................................................................................................6 The rules for obtaining valid consent.......................................................................................................7 4.1 Data Protection Officer (DPO) Appointment Requirements............................................................7 4.2 Mandatory Data Protection Impact Assessments (DPIAs) ...............................................................8 4.3 Data breach notification requirements............................................................................................8 4.4 Data Control and the right to be forgotten......................................................................................8 Technical and organizational security measures .....................................................................................9 Privacy by default and by design..............................................................................................................9 5 GDPR and Customer Identity Management ................................................................................. 10 Business requirements...........................................................................................................................10 Principles to implement GDPR Requirements .......................................................................................11 Finding the right balance........................................................................................................................12 6 Summary and Recommendations................................................................................................ 13 7 Copyright ................................................................................................................................... 13
  • 3. KuppingerCole Whitepaper Compliance: The GDPR and Customer Identity Management Report No.: 72601 Page 3 of 14 1 Executive Summary With the upcoming EU (European Union) GDPR, data protection and privacy requirements will change, requiring that organizations take appropriate action. The GDPR has a very broad scope, and is thus relevant not only to organizations within the EU, but also to organizations processing data of consumers located within the EU. The GDPR arose as a harmonization instrument in the field of data protection within the EU Member States. The rapid development of new technologies has revealed the necessity to update the current data protection framework in a way that addresses today’s reality with social networks and big data technologies. The requirements for maintaining consumers’ privacy will be significantly more stringent through the new framework. As a EU directive, the GDPR overrides local regulations, which will subsequently need to be adapted. There are a variety of new regulatory elements, including aspects such as mandatory consent, definition of purpose for the use of personal data, and the right to be forgotten. To understand the impact that the GDPR has on Customer Identity Management and the processing of customer data – which goes well beyond Customer Identity Management and also affects CRM, ERP, and other business systems – it is important to understand the key regulatory elements of the new law. From a customer data perspective, it becomes ever more important to manage customer identities in an efficient and well thought-out manner. The fundamental challenge is that customers have significantly more rights than they ever had with any data protection regulation in the EU before. Thus, being able to identify the customer – even when he is using different login credentials over time – is important not only from a business perspective, but also from a compliance perspective. Obviously, meeting the changing requirements is easier when various login credentials in use are correctly linked to a single person. Beyond that, managing and respecting the user’s consent, his preferences, opt-ins and opt-outs across all touchpoints becomes mandatory with the EU GDPR. Customer Identity Management is about front-end challenges such as understanding the unique identity of a customer, but also challenges such as enforcing consent decisions across all back-end systems. From a technical perspective, the essence of the regulation can be framed in a single sentence: Rely on platforms, not on coding The days of constructing every customer-facing application and portal independently, with separate identity management for each, are past. Efficiently handling customer identities, their consent, and their context, to support business agility and to fulfil regulatory compliance requirements mandates using a dedicated Customer Identity Management platform.
  • 4. KuppingerCole Whitepaper Compliance: The GDPR and Customer Identity Management Report No.: 72601 Page 4 of 14 2 Research Highlights ● The upcoming EU GDPR, planned to go into effect May 2018, changes data protection and privacy requirements – organizations must take action now ● Obtaining user consent for the purposes of personal data usage and managing proof of consent are major elements ● Various principles such as the right to be forgotten and the right to revoke consent will be implemented ● Organizations must improve their capability to manage user identities, consent, and context 3 The General Data Protection Regulation (GDPR) The upcoming EU GDPR adds a number of new requirements for organizations dealing with personal data, where personal data also includes information that allows indirect identification of customers. The changes to the EU GDPR mandate that organizations take actions to comply with that regulation. With the upcoming EU (European Union) GDPR, data protection and privacy requirements will change, requiring that organizations take appropriate action. The GDPR has a very broad scope, and thus is relevant not only to organizations within the EU, but also to organizations processing data of consumers who are located within the EU. Understanding the scope, content, and impact of the EU GDPR is essential for understanding the concrete implications for organizations when dealing with Personally Identifiable Information (PII) in its broadest sense. Of particular importance is the way organizations must handle consumer data in the future. History and context: Why the GDPR was needed The GDPR arises as a harmonization instrument in the field of data protection within the EU Member States. The rapid development of new technologies has revealed the necessity to update the current data protection framework in a way that also addresses the new realities of the digital economy, such as the near ubiquitous use of big data or the role social networks today play in communication and collaboration. Consumers’ privacy will be enforced through the new framework. As a EU directive, the GDPR overrides local regulations, which will subsequently need to be adapted. While the GDPR strengthens overall data protection requirements in EU Member States, it also harmonizes various existing regulations. Having more consistent data protection regulations across all EU Member States than is the case today will make it easier for organizations to comply.
  • 5. KuppingerCole Whitepaper Compliance: The GDPR and Customer Identity Management Report No.: 72601 Page 5 of 14 Existing framework The Data Protection Directive 95/46/EC and the Directive on Privacy and Electronic Communications 2002/58/EC (E-Privacy Directive) constitute the current framework regarding personal data protection. The current Data Protection Directive dates from 1995. Back then, the Internet was still in its early days. There were no smartphones and no social networks existed at all. Big Data was still small and had far from widespread adoption. The EU GDPR tries to catch up with the changes of the last 20+ years while setting a standard for the upcoming years. Thus, the gap between the former directive, which could be overridden to some extent at member state level, and the new EU GDPR, is quite significant. EU Data Protection Directive The EU Commission adopted the Data Protection Directive in order to harmonize certain aspects established in the EU for the processing of personal data by data controllers (persons or organizations who decide how and why personal data is processed) and data processors (persons or organizations who process data on behalf of data controllers). However, certain relevant aspects, such as the obligation to: appoint a Data Protection Officer; register the IT Systems in use with the competent Authority; meet consent requirements, and so on, remained different between various Member States. This highlighted the necessity to update the existing framework in order to have a higher level of harmonization within the EU, and to continue ensuring an adequate level of personal data protection. E-Privacy Directive The E-Privacy Directive complements the GDPR and imposes specific requirements regarding how customers’ personal data is stored and collected by internet or telecommunications providers. A formally reviewed draft of the E-Privacy Directive that is in line with the new scope of the GDPR is expected soon. However, as pointed out, this specific directive only applies to certain defined industries. Implementation period and scope of application Organizations have a two-year time period, until May 25th, 2018, to implement the changes introduced by the GDPR. Otherwise, significant fines may be imposed to organizations that have not reached the minimum data protection level imposed by the new framework. This is a rather short period of time, given that the GDPR might require significant changes to existing software implementations that are handling data within the scope of the regulation. Simply said: Continuing to do business with EU customers requires full compliance with the EU GDPR One of the most interesting aspects of the GDPR is its broad scope. The GDPR is applicable to all data controllers and data processors established in the EU, regardless of the location of the processing. But it also applies to data controllers and processors established outside the EU, if the data subjects (whose personal data is being processed) are located in the EU and the processing activities relate to the
  • 6. KuppingerCole Whitepaper Compliance: The GDPR and Customer Identity Management Report No.: 72601 Page 6 of 14 offering of goods or services to EU data subjects or to the monitoring of their behaviour, if that behaviour takes place in the EU. This concretely means that every organization worldwide that is processing data of EU customers must comply with the EU GDPR. Simply locating data centres outside of the EU and continuing as is will not be sufficient. When it comes to dealing with customer data, the other theoretical option of simply not serving EU customers most likely won’t be an option for most organizations. Once again: Continuing to do business with EU customers requires full compliance with the EU GDPR. 4 Compliance: Key Elements of GDPR There are a variety of new rules in place. These include the need for consent per purpose; breach notification requirements; and principles such as the right to be forgotten. Not everything is new, but, overall, the regulatory requirements are increasing significantly. To understand the impact that the GDPR has on Customer Identity Management and the processing of customer data – which goes well beyond Customer Identity Management and affects CRM, ERP and other business systems – it is important to understand the key regulatory elements of the GDPR. The definition of personal data The GDPR applies to any processing operation that involves personal data. Personal data is any information related to an identified person or that allows organisations to identify a natural person, directly or indirectly. A person can be identifiable by name, an identification number, location data, online identifiers or factors related to the physical, physiological, genetic, mental, economic cultural or social identity of that person. Customer data may refer to their bank account, IP-address, login data, consuming habits that identify the individual, and more. This definition is very broad, far broader than traditional definitions of PII. For instance, the definition includes all tracking data that may allow the identification of an individual. In particular the aspect of “identifying indirectly” is of importance, given that this is a very broad definition. In fact, all data collected via the use of cookies, for instance, should be considered personal data that is in the scope of the GDPR. Implication: To meet these new requirements, it’s vital to have a “360-degree view” of each customer and all the data associated with them. This calls for advanced profile management and the ability to unify a wide variety of attributes and build accurate and complete profiles.
  • 7. KuppingerCole Whitepaper Compliance: The GDPR and Customer Identity Management Report No.: 72601 Page 7 of 14 The rules for obtaining valid consent Unless any other legal basis for processing personal data is in place, such as a contract or an obligation imposed by law, consent is required prior to processing personal data. Consent will be deemed to be valid if it is freely given, informed, unambiguous and consists of a statement or a clear affirmative action. If the data is used for several purposes, the individual should give his/her consent for each purpose. From a marketing and customer identity perspective, this is about such aspects as consent to collect data via cookies or other browser activities, opt-in and opt-out options, and so on. The most important aspects are that consent must be given per-purpose and that consent must be given in an “informed” way. In tendency, organizations processing and storing personal data will need to be more clear about the purpose of collecting data. In the end, many people will give their consent because they want to use a particular service. This also involves proof of consent. There is a requirement to provide evidence as to which exact terms each user has given consent for, and technical proof that the user did, in fact, agree. Consent should be given per-purpose and the provider must provide “proof of consent” These requirements quickly become complex in large organizations, where users have multiple channels of access. Having a unique view on the identity of the consumer or customer and managing his preferences and consent uniquely is critical for meeting this requirement. Implication: In order to handle new consent requirements, flexibility in the identity management system is necessary to enable customized registration and login flows that are compliant for each region wherein the data controller is serving customers. 4.1 Data Protection Officer (DPO) Appointment Requirements Currently, only a few countries regulate the appointment of a DPO. Under the GDPR, this will change fundamentally. Organizations will have the obligation to appoint a DPO, wherever the processing involves a large scale of special categories of personal data, or a systematic monitoring of individuals takes place. The appointment of the DPO should be based on his/her professional qualities and expert knowledge on data protection. This position can be held either by a member of the organization or by an external professional. A single DPO may be appointed for a group of companies. Implication: Organizations musts evaluate whether they have to appoint a DPO and free up sufficient budget. In particular, they will have to decide whether they prefer relying on an internal or external DPO.
  • 8. KuppingerCole Whitepaper Compliance: The GDPR and Customer Identity Management Report No.: 72601 Page 8 of 14 4.2 Mandatory Data Protection Impact Assessments (DPIAs) As part of the risk-based approach of the GDPR, it will be obligatory to conduct DPIAs if the processing in question is likely to result in high risk for the rights and freedoms of individuals due to the nature, scope, context or purposes of the processing operations. This is the case in certain scenarios: ● If special categories of personal data defined in the GDPR are processed on a large scale ● If a systematic evaluation of personal aspects related to natural persons takes place that is carried out using automated decisions ● if a systematic monitoring of publicly accessible areas takes place Each DPIA must describe ● All processing operations and their purposes ● The necessity and scale of each process in relation to its intended purpose ● The potential risks to the rights and freedoms of the data subjects ● The technical and organizational measures that will be implemented Implication: Beyond the necessity of a DPO, there is the need for defined assessments in a variety of use cases. Internal audit must adapt its controls to these new requirements. 4.3 Data breach notification requirements When a data breach impacting PII occurs, the appropriate Supervisory Authority must be notified by the data controller within 72 hours of being made aware of the breach. If customer data that may impact the rights and freedoms of consumers is affected by the breach, those consumers must also be notified. Implication: Every organization must define and implement a process for both breach notification and incident management, for handling incidents in an adequate and compliant manner. It’s important to ensure that every vendor providing technology in a multiple solution stack can respond in a timely manner to data breaches, and has a well-designed strategy for numerous contingencies. 4.4 Data Control and the right to be forgotten The right to be forgotten has been recognized as an inherent right of data subjects. It stipulates that individuals are entitled to request that data controllers erase their data upon request without undue delay. However, this right can be exercised only if certain requirements are met. For example, if the personal data is no longer necessary for the purposes for which it was collected, or the data subject withdraws his or her consent. There is even more than the right to be forgotten – data control is becoming complex While there have already been many discussions, as well as law suits, regarding the right to be forgotten, it will soon become more important. Organizations are well-advised to prepare for the demand from customers to delete their data.
  • 9. KuppingerCole Whitepaper Compliance: The GDPR and Customer Identity Management Report No.: 72601 Page 9 of 14 However, the right to be forgotten is not the only requirement in this category. New consumer rights regarding control of user data are much broader, and also include the right to freeze data processing, which is a new and quite complicated requirement to meet. Data subjects can request that the processing of their data be frozen. Another important new right is the right to export personal data and edit it. Again, this is not easy to implement and can mean significant workloads for organizations dealing with personal data. Implication: To ensure the ability of consumers to maintain control over their personal data, advanced profile management should be employed, with appropriate end user preference management options for freezing processing of, editing, exporting and deleting data. Technical and organizational security measures In addition to the legal requirements mentioned above, it is also essential that adequate technical and organizational security measures are implemented according to the nature of the processing. These measures may include pseudonymization and anonymization of personal data, confidentiality, integrity, and resilience of processing systems, the ability to respond appropriately to incidents, and a regular assessment of the efficacy of implemented technical and organizational security measures, for example through regular IT-Security and Data Protection Audits. Specifically, technical and organizational security measures should regulate access rights, admission control, transmission control, input control, availability control and control over commissioned data processing. Again, these regulatory requirements can result in rather complex technical requirements that must be met by organizations controlling and processing personal data. Technical and organizational security measures are best implemented following established standards such as ISO27018. Implication: It’s important to verify that any solution being leveraged to capture and manage customer data maintains security practices and infrastructure that are industry certified for the appropriate standards. Privacy by default and by design Finally, there is the requirement of Privacy by Default and by Design. Privacy by Design is a concept that has been discussed for several years now. Basically, this is about creating applications in a way that allows for flexibly enforcing privacy requirements, depending on both regulatory requirements and customer consent. Privacy by Default, on the other hand, is about having privacy enabled by default, not as something that can be achieved by customers only in a cumbersome way. In sum, there are a significant number of requirements being introduced by the EU GDPR. While not everything is new or even uncommon, it nonetheless requires organizations that are controlling and processing personal data to rethink the way they are dealing with such data.
  • 10. KuppingerCole Whitepaper Compliance: The GDPR and Customer Identity Management Report No.: 72601 Page 10 of 14 Implication: When assessing readiness for the GDPR, be sure that any solution in the stack that collects and manages customer data can meet the specific requirements for the customer use case, especially data privacy requirements. In the case of end-to-end solutions, be sure that they maintain strong relationships with a range of technology partners that can easily integrate with their platform. Move away from coding for customization and rely on standard technologies. 5 GDPR and Customer Identity Management Finding the balance between business and compliance requirements becomes a challenge in the context of the EU GDPR. Organizations have to manage customer (and other personal data) in a consistent way, moving away from point solutions and building a strong foundation for Customer or Identity Management. The focus of the EU GDPR is not only about customer data, although many of the new requirements target social networks, search engines, eCommerce, and other customer-facing businesses. However, it is important to bear in mind that the EU GDPR affects all personal data, including that of employees or business partners. Organizations need one view of customers’ identities, their consent, and their preferences – across all touchpoints From a consumer data perspective, it becomes ever more important to manage customer identities in an efficient and well thought-out manner. The fundamental challenge is that consumers have significantly more rights than they ever had with any data protection regulation in the EU before. Thus, being able to identify the customer – even when he is using different login credentials over time – is not only important from a business perspective, but also from a compliance perspective. Obviously, meeting the changing requirements is easier when various login credentials in use are correctly linked to a single person. Business requirements The main requirement for implementing a Customer Identity & Access Management (CIAM) solution are business-driven. While the EU GDPR is a business driver, due to the need to comply with the upcoming regulation, there are other reasons that drive the adoption of Customer Identity Management. In particular, as part of the so-called Digital Transformation, business models are changing, leading to a closer online interaction with customers than ever before. Data collected by things and devices is one important aspect of that evolution. Building long-term relationships with customers in a time of rapid business model changes, as well as business partnerships, requires that customers are identified, regardless of the login credentials they use. Understanding customer activities and behaviours is also essential for optimally serving the customer.
  • 11. KuppingerCole Whitepaper Compliance: The GDPR and Customer Identity Management Report No.: 72601 Page 11 of 14 When doing so, a number of requirements must be met: ● Customer-facing solutions must satisfy the customer, in terms of usability and ease-of-use, starting with the support of a broad variety of authenticators (traditional registration, social login, biometrics, and so on) and a seamless overall customer experience ● Solutions must be built in a way that allows for rapid adaptation to changing business requirements – time-to-market is a critical success factor for every business ● Data models for customer data must be dynamic and adaptable, allowing businesses to store “what is needed” for today’s and tomorrow’s business requirements ● Solutions must be highly scalable, particularly during peak times ● There must be one view of the customer across all customer-facing systems, but also flexible integration with a multitude of backend systems ● There must be comprehensive support for managing user consent, opt-ins, and preferences, and respecting these across every touchpoint the customer has with the organization Customer-facing applications must be more flexible than ever. The days of creating independent solutions that manage their own identities, implement their own approach to customer journeys, and exist in isolation from other systems are long past. Customer identities are too important for businesses in the Digital Age, and from a regulatory viewpoint — in the light of the upcoming EU GDPR – the need for a unified, standardized Customer Identity Management infrastructure is no longer just an optional and attractive approach, but a necessary one. Principles to implement GDPR Requirements The EU GDPR formulates, as has been stated above, a number of mandatory principles. Customer Identity Management will not solve all of these requirements, but greatly supports compliance with these principles. Overall, many of the essential principles of the EU GDPR mandate that organisations have a good knowledge of customers’ identities. Knowing the person, being able to identify them when they connect to systems, and in particular having one view of that person and their activities across multiple systems makes it far easier to comply with many of the principles and requirements of the EU GDPR such as: ● Consent and proof of consent ● Purpose limitation ● Right of erasure and to be forgotten ● Right to restriction of processing ● Right of data portability and right to edit data ● Notice obligations ● Safeguards for automated decision making, including profiling For consent, it is recommended to not only have an IP address but knowledge about the person that gives consent (or does not). The same holds true for purpose limitation – the individual must agree not only to the purpose of use for their personal data, but must also be able to restrict this, as part of the right of restriction of processing.
  • 12. KuppingerCole Whitepaper Compliance: The GDPR and Customer Identity Management Report No.: 72601 Page 12 of 14 The right to delete data and to be forgotten, as well as the right of data portability, require that personal data be mapped to an individual. Thus, managing customer identities becomes more important than ever before. Organizations will require a whole “consent management system” Organizations will require a whole “consent management system” as part of their Customer Identity Management strategy. Changes to social network terms of service might require updated consent. The system must also track and keep a record of consent per-user for each term. It is not enough to simply store identities. Organizations must transparently make clear what data is stored and how it is being used. This requires a transparent mechanism for self-service control over identity profiles. It requires new forms of user journeys that strike a balance between the new regulatory requirements and maximized retention rates. Also, these capabilities are needed to fulfil requirements such as notice obligations or safeguards for automated decision making, including the right of individuals to be informed about how decisions are made. Finding the right balance The challenge of the future is finding a balance between business enablement on one hand and privacy and security on the other. Meeting regulatory requirements is a must, but that must not happen at the expense of business requirements (unless the business model stands in stark contrast to the GDPR). Furthermore, many implementations will not serve only EU customers or run in the EU exclusively, so other regulations might apply. Thus, the system should be flexible, to provide different experiences to different territories. This means that EU regulatory requirements should only affect the user experience of EU users, while users in other territories have an experience tailored to the regulatory requirements there. From a business perspective, the goal should be about satisfying market demand, delivering a great user experience, supporting ever-changing business models, and implementing agile solutions that can be easily adapted to new requirements. Doing so with these new, stronger regulatory requirements requires flexible solutions that allow managing users’ identities and enabling the required amount of user control and consent, but also the security of personal data, which also is part of the GDPR regulation. Providing data to commercial platforms is a deliberate act. Models that exchange data for value are still allowed, but the principles listed in the section above must be met. In particular users must be in control and be able to manage their personal data and be able to revoke consent regarding its use.
  • 13. KuppingerCole Whitepaper Compliance: The GDPR and Customer Identity Management Report No.: 72601 Page 13 of 14 6 Summary and Recommendations The EU GDPR is a fact. It is a regulation that organizations must comply with when handling data of persons residing in the EU, and has a fairly broad and, in essence, global scope. There are new requirements and principles in place. These require not only better controls and overall knowledge regarding how an organization handles customer identities, but also better management of personal data, so that, for example, data can be deleted upon request when a user revokes consent. From the perspective of dealing with personal data, the most important recommendations are 1) Inform the customers clearly and in simple statements about what data you collect and use for which purpose 2) Request consent wherever GDPR mandates – and in cases where the regulations are not clear — it is better to obtain consent than to not 3) Define a well thought-out customer journey, including agreements to terms & conditions, consent, and all other agreements between your organization and the customer 4) Select holistic Customer IAM products that support opt-in, opt-out and related capabilities out-of-the-box, and also support easy implementation of regulatory requirements beyond the GDPR such as those of other regions or social network policies 5) Enable customers to use their digital identity of choice From a technical perspective, once again, the essence can be framed in a single sentence: Rely on platforms, not on coding The days of constructing each and every customer-facing application and portal independently, with separate identity management, are past. Efficiently handling customer identities, supporting business agility and fulfilling regulatory compliance requirements mandates using a dedicated Customer Identity Management platform. 7 Copyright © 2016 Kuppinger Cole Ltd. All rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole’s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publication shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
  • 14. Kuppinger Cole Ltd. Sonnenberger Str. 16 65193 Wiesbaden | Germany Phone +49 (211) 23 70 77 – 0 Fax +49 (211) 23 70 77 – 11 www.kuppingercole.com KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in relevant decision making processes. As a leading analyst company KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business. KuppingerCole, founded in 2004, is a global Analyst Company headquartered in Europe focusing on Information Security and Identity and Access Management (IAM). KuppingerCole stands for expertise, thought leadership, outstanding practical relevance, and a vendor-neutral view on the information security market segments, covering all relevant aspects like: Identity and Access Management (IAM), Governance & Auditing Tools, Cloud and Virtualization Security, Information Protection, Mobile as well as Software Security, System and Network Security, Security Monitoring, Analytics & Reporting, Governance, and Organization & Policies. For further information, please contact clients@kuppingercole.com The Future of Information Security – Today