GDPR & Customer IAM: The Real Winners Won’t Stop At Compliance

GDPR & CUSTOMER IAM:
THE REAL WINNERS
WON’T STOP AT
COMPLIANCE
Matt Klassen & Remy Lyle
Ping Identity
1 Confidential | Do not distribute — Copyright ©2017 Ping Identity Corporation. All rights reserved.

AGENDA
▪ GDPR Overview
▪ Key Requirements of GDPR
▪ How Customer IAM Helps Solve GDPR
▪ Design Patterns for Consent Management
Confidential | Do not distribute — Copyright ©2017 Ping Identity Corporation. All rights reserved.2

GDPR OVERVIEW
GDPR & Customer IAM: The Real Winners Won’t Stop at
Compliance

GDPR BASICS
▪ General Data Protection Regulation
– Adopted in 2016
– Full effect on 25 May, 2018
– Replaces former data protection directive
– Privacy protection for EU citizen personal data
– Steep fines for non-compliance

IMPORTANT ASPECTS OF GDPR
Global Impact Broad Scope Heavy Fines

KEY REQUIREMENTS OF GDPR
Compliance

CLASSIFYING THE REQUIREMENTS
7
Process &
Organization
• Data Protection
Officer (DPO)
• Data Protection
Impact Assessment
• Incident Reporting
• +MORE
Technical
• Consent
• Data Access
• Rectification
• Erasure
• Data Portability
• Data Security
Confidential | Do not distribute — Copyright ©2017 Ping Identity Corporation. All rights reserved.

CONSENT
The controller needs to seek and record consent from the
data subject for collection, storage & use of personal data
▪ Must be an auditable record
▪ Must be presented
“unbundled”
▪ Can be withdrawn
▪ Consent is given for data and
use case
8
Articles: 7 8 13

DATA ACCESS & RECTIFICATION
The data subject can access the personal data that was
collected and make corrections and updates
▪ Access to all of the data
collected as well as purpose,
recipients, storage period
▪ Review and edit of data –
request changes
▪ Notification of changes and
rights
9
Articles: 15 16

ERASURE
The data subject has the right to ask the controller to
“forget” or erase all personal data
▪ Restrictions of this right may
be dictated by other
regulations
▪ “Erase” all data across data
stores and back-ups
▪ 3rd parties must be notified
10
Articles: 17

DATA PORTABILITY
The data subject has the right to receive any personal data
received by a controller
▪ Must be in structured
commonly used machine
readable format
▪ Can request data transferred
directly to 3rd party
Articles: 20

DATA PROTECTION BY DESIGN &
SECURITY
The controller must design systems to protect and secure
personal data based on risk
.▪ Pseudonymisation and
encryption
▪ Access controls
▪ Backup/restore
▪ Minimization
Articles: 25 32

HOW CUSTOMER IAM HELPS SOLVE
GDPR
Compliance

WHAT IS YOUR BUSINESS GOAL?

End-to-end
Security
Govern Data
Access
Mobile Apps
SECURE & SEAMLESS CUSTOMER IAM
Web Apps & SaaS
IoT
Internal Apps
Partner Apps
Auth & SSO
• Single sign-on across digital properties
• MFA and transaction approvals
• Govern and control access to data
• Unify profiles and sync data platforms
• Manage preferences and privacy
• End-to-end security
• Extreme scale and performance
15
MDM CRM AD/LDAP
Unify Customer Profiles

End-to-end
Security
Govern Data
Access
Mobile Apps
SECURE & SEAMLESS CUSTOMER IAM
Web Apps & SaaS
IoT
Internal Apps
Partner Apps
Auth & SSO
• Single sign-on across digital properties
• MFA and transaction approvals
• Govern and control access to data
• Unify profiles and sync data platforms
• Manage preferences and privacy
• End-to-end security
• Extreme scale and performance
16
MDM CRM AD/LDAP
Unify Customer Profiles

CAPTURE & MANAGE CONSENT
• Simplify the capture of customer
consent across channels
• Capture consent for specific attributes
• Enforce consent choices based on
centralized policies that can reflect:
o Geographic regulations like GDPR
o Industry Regulations like HIPAA
o Corporate Policies
o Customer Consent
Do You Want to Share
Your Personal Data
with “LoyaltyApp,
LLC”? (more)
Yes No
Articles: 7 8 13

TRANSACTION CONSENT &
APPROVAL
18
Confirm 10,000
Transfer to Acct
#34343434
1. User Initiates
Money Transfer
2. Confirms
Transaction
3. Money Transfer
Approved
Transfer 10,000 to
Account #3434343?
OK
Articles: 7 8 13

CUSTOMER SELF-MANAGED
PROFILE
19
Internal Apps
WebMobile Apps
IoT Devices
Loyalty Rewards
Programs
Customers self-manage
profile and preferences
Preferences are
consistently enforced
across channels
Articles: 15 16

DATA ACCESS GOVERNANCE
Partner
App
Internal
App
• Name
• Social Security #
• Credit Card #
• Preferences
• Date of Birth
• Name
• X
• X
• Preferences
• Date of Birth
• Name
• X
• X
• Preferences
• X
Only received authorized
data attributes
Customer Profile
Articles: 20 25 32

ENFORCE PROPER USAGE OF
CUSTOMER DATA
Enforce customer consent
choices and regulatory
constraints on everyone or
face consequences…
Articles: 20 25 32

MANAGING A GLOBAL
NAMESPACE
22
Data GovernancePartial Data SyncData Residency
Mary Banks
214-555-8048
123 Main St. X
CC# X
Sarah
EU Citizen
Mary
US Citizen
U.S.A. DataEuropean
Sarah’s
Data
Mary’s
Data
U.S.A. DataEurope Data
Articles: 20 25 32

Secure
In Transit
PII data captured and
used in apps
Secure At Rest
Secure During
Replication
Tamper Proof Logs
✓ Best practice password policies
✓ Client connection policies
✓ Limited-access admin accounts
✓ Record-limited access
✓ Tamper-evident logging
✓ Criteria-based logging
✓ Data obfuscation
✓ Data layer encryption
✓ Encrypted backup files, log files, and
change histories
✓ Active and passive alerts
✓ Resource limit policies to mitigate DoS
✓ Simplified integration with 3rd party
security monitoring tools
Fragmented and Vulnerable
Identity Data
Mobile
App
App Data
Loyalty
Programs
Identity Data
Marketing
Programs
App Data
Identity Data
Web
E-Commerce
App Data
Identity Data
App Data
Centralized and Secure
SECURING CUSTOMER
IDENTITY DATA
Articles: 25 32

SYNC AND CONSOLIDATE IDENTITY
DATA
▪ Create unified customer profiles
▪ Consolidate identity data silos
▪ Map data schema and attribute types
▪ Bi-directionally sync identity data
▪ Support different connection methods
and protocols
LDAP
MDM
CRM
Order Mgmt.RDBMS
Active
Directory
Articles: 20

PING – A PRODUCT LEADER IN
CUSTOMER IAM
(KuppingerCole)

DESIGN PATTERNS FOR CONSENT
MANAGEMENT
Compliance

CONSENT PATTERN #1
CONSENT IS ITS OWN OBJECT TYPE
27
Creation /
Renewal of
Consent
Management
of Consent
Revocation /
Expiration of
Consent
Begin
Auditing /
Logging
End
If renew

CONSENT OBJECT TYPE – EXAMPLE IMPL.
Consent Data Description Example
id Unique Identifier urn:X-pingidentity:Opt:Newsletters
description Description of use Consent to send newsletters
destinationType Consent manifestation (i.e. email,
application, terms of service)
Email
version Version # 0.1.1
required Is consent required TRUE/FALSEUser Data – Consent Attributes Description Example
consentId Unique Identifier urn:X-pingidentity:Opt:Newsletters
consentCollector Method of consent collection urn:X-pingidentity::App:my-account
consentTimestamp Timestamp 2017-05-12T16:22:19.043Z
consentExpiration Date of expiration 2018-05-18T16:22:19.043Z
consentPolarity Opt-In or Opt Out 0/1

CONSENT PATTERN #2
CONSENT TRANSPARENCY

CONSENT PATTERN #3
ENFORCING OPT-OUT
30
IF CLIENT_ID = “marketingengine”
AND OPT_IN = FALSE
EXCLUDE EMAIL

CONSENT PATTERN #3
ENFORCING OPT-OUT
31
Same data call but different responses
based on user consent
Same data call but different responses
based on user consent

CONSENT PATTERN #3
ENFORCING OPT-OUT

CONSENT PATTERN #4
CONSENT AS A RESPONSE
33
DATA
GOVERNANCE
APPLICATIONS
USER CONSENT
JSON Object
Think: Polarity or
Metadata?
Service Provider Layer
Identity Provider Layer

CONSENT PATTERN #5
CONSENT COMPLEXITY
34
Opt-In/Opt-Out
Access Grants
OAuth Scopes
Fine
Grained
Terms of Service
Consent Forms
Coarse
Grained
EASE OF USER INTERFACE
BETTER PRIVACY CONTROLS

35
1. Consent as its own object type
➢ Separate consent metadata objects from user consent records
2. Consent transparency
➢ Create a simple, easy to understand UI for your users to manage consent
3. Enforcing opt-out / opt-in
➢ Provide a layer on top of your consent raw data to honor your user consents
4. Consent as a response
➢ Implement your consent data close to your user data
5. Consent complexity
➢ Remember that the more parties that are involved, the more complex consent management
gets
➢ The level of granularity in your consent dictates the ease of user management in contrast to
providing better privacy controls for your users
DESIGN PATTERNS TAKEAWAYS

KEY CUSTOMER IAM BENEFITS
36
Customer Experience
End-to-End Security
Scale & Performance
Privacy
Adaptability
Meet stringent end-to-end security requirements, from
authentication and secure access to data management.
Manage millions of identities and billions of attributes at extreme
scale and performance.
Manage and enforce geographic, industry, corporate and
personal consent customer privacy directives.
Support modern application architectures and support on premise,
cloud, or hybrid deployment options.
Deliver secure, seamless and personalized customer experiences
across all channels and devices.

LIVE Q&A
Please visit
www.pingidentity.com/GDPR
For More Information:

GDPR & Customer IAM: The Real Winners Won’t Stop At Compliance

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à GDPR & Customer IAM: The Real Winners Won’t Stop At Compliance

Similaire à GDPR & Customer IAM: The Real Winners Won’t Stop At Compliance (20)

Plus de Ping Identity

Plus de Ping Identity (20)

Dernier

Dernier (20)

GDPR & Customer IAM: The Real Winners Won’t Stop At Compliance