Why a Data Privacy Officer isn’t the solution for GDPR

The era when complex legalese and small print were considered sufficient user information is over. So are the times when users consenting to their data being shared had no way of knowing who would gain access to it. Transparency of data access and processing is paramount under the EU’s General Data Protection Regulation (GDPR) which will affect all organisations processing data of EU citizens from May 2018 onwards.   

As a legal document, the GDPR is huge. It contains over 90 articles with lots of legal talk, but businesses shouldn’t assume that the legal team or newly appointed Data Privacy Officer (DPO) will simply be able to solve the issue. Many of the new requirements are first and foremost questions of technological capability, including the ability to tag full platform data analytics or a modern consumer identity and access management design pattern, while other functions such as end user dashboards, registration journeys and consent frameworks will need updating.   

Luckily, some of these requirements can be met by successfully applying a consumer identity and access management platform. Here are some tips for organisations that want to better understand the identity-related requirements of GDPR and how and why identity platforms should be used in the new regulatory setting. 

Personal data 

The GDPR focuses on making sure personal data is processed legally and that data is only stored for as long as necessary and for a specific purpose. An additional requirement is a full end user interface that has the ability to make sure their data is up to date and accurate.   

Most organisations are collecting more data and more frequently than ever before.  Some data is explicit, such as your full name and date of birth when you register for a service, while others are more subtle such as location, history and preference details.

Of course, all this personal data needs to have the necessary security, confidentiality, integrity and availability constraints applied to it, which will require the necessary least privileged administrative controls and data persistence security, such as the necessary hashing or encryption. To manage all these different aspects successfully, a customer identity and access system is a good place to start.   

Lawful processing 

When hearing the term “lawful processing” one automatically thinks of the legal team or the newly appointed DPO even though it often is a security, identity or technology issue.  The lawful processing of data under GDPR also has a significant requirement surrounding the capture and management of consent.   

But what is meant by explicit consent? The data owner needs to be made fully aware of the data that has been captured, for what purpose and who has access to it, before he or she gives their consent.

The service provider, on the other hand, needs to explicitly capture consent in the form of the end user "opting in" for their data to be used and processed, as opposed to an implicit "opting out". This will require a transparent user driven consent system, with sharing and more importantly, timely revocation of access.  Protocols such as User Managed Access may come in useful here. 

User Managed Access (UMA), a Kantara Initiative industry standard, provides a mechanism for an end user, or data owner, to be in control of who can access their data and when. Traditional authorization protocols have been focused on centralised IT administrators generating access policies. These policies then provide the foundation for system, service or data access by individuals and 3rd parties. But, in today’s highly consumer-centric landscape, the end user is now the explicit custodian of authorisation decisions. UMA puts the decision making right into the hands of the end user, allowing them to pro-actively share, and more importantly revoke, access to their data. This is a key foundation of GDPR consent management. 

Individuals right to be informed 

Following directly from the lawful processing aspect, comes the entire area of end user information. At the center of these new requirements is the stipulation that the end user needs to be in a position to make informed decisions about a series of important issues, including data sharing, service registration, data revocation and so forth.   

Moreover, non-tech language is now a must, with clear explanations of why data has been captured and which third parties have access to the data.  This process is closely connected to the consent model. The data owner must be enabled to make consent decisions, the prerequisite for which is the provision of simple to understand information.  Registration flows will need to become much more progressive by only collecting data when it is needed, explaining clearly why the data is required and what processing will be done with it. The practice of multiple attributed registration forms is dead. 

Individuals right to rectification, export and erasure 

GDPR certainly stipulates some important new requirements here.  If you are a service provider, do you have a system in place that allows your end users to clearly see what data you have captured about them? And also provides that information in a user-friendly dashboard where they can make changes and keep it up to date?  Does your system have the ability for the data owner to export that data in a machine-readable and standard format such as CSV or JSON? There are many things to think about in terms of the right technology and user interface.

Another interesting aspect is the right to erasure, as it assumes that you know where your end user data resides, and also which systems, what attributes, what correlations or translations have taken place.  Do you have the ability to issue a de-provisioning request to either delete, clean or anonymize that data? If not, you may need to investigate why and what can be done to remediate that.

Not just a compliance exercise

Privacy is now becoming a competitive differentiator.  The GDPR should not just be seen as an internal compliance exercise, but as a potential launch pad for building closer, more trusted relationships with your end users. 

Whilst many organisations are looking at employing a DPO to read through all the legalese and developing data analytics and tagging processes, many need to embrace and understand the capabilities of their customer identity platforms first. 

Simon Moffatt, Access Management Technical Product Manager, ForgeRock 

Image Credit: Wright Studio / Shutterstock