implications of gdpr in conjunction with uma
TRANSCRIPT
© 2017 ForgeRock. All rights reserved.
GDPR
@hannsnolan
ForgeRock Identity Platform!
some of the more identity related components of the GDPR
© 2017 ForgeRock. All rights reserved.
significant penalties for GDPR infractions start on
May 25, 2018.
© 2016 ForgeRock. All rights reserved.
GDPR is different, and FR is different• GDPR applies to every organization selling to or
monitoring anyone in the EU• GDPR has a firm deadline (May ‘18), high penalties
(4% of global turnover), and high aspirations (human rights)
• Privacy tools assess/ensure compliance• GDPR tools target risk teams• We sell to digital teams
• Who need to own and drive this challenge -- quickly -- so that it becomes a triumph vs. a tragedy
© 2017 ForgeRock. All rights reserved.
Impact of GDPRsome of the more identity related components of the GDPR
• Consent for processing personal data• Proof of Consent (data & processing!) • Consent per purpose (including revocation)• DPO (Data Protection Officer) are required (e.g. external)• DPIAs (Data Protection Impact Assessment) under certain cir.• Data breach notification within 72 hours• Massive data control rights (forgotten, freeze, export rights)• Privacy by default• PLUS organizational/other requirements (out of scope here)
© 2017 ForgeRock. All rights reserved.
What to take care of?
• Personal Data• where is your data? -> least privileged? encryption?
• Lawful Processing• law and IDM? YES -> user consent driven!
• Individual's Right to Rectification, Export and Erasure• new requirement! Big challenger: export, erasure
End user dashboards, registration journeys and consent frameworks will need updating!
© 2017 ForgeRock. All rights reserved.
What is to do?
End user dashboards, registration journeys and consent frameworks will need updating.
Don't see it as a compliance exercise!The interesting aspect, is that privacy is now becoming a competitive differentiator.
© 2016 ForgeRock. All rights reserved.
A holistic view of theForgeRock Identity Platform
Identity data governance; single view of the consumer
Giving the consumer a single view of their consents
Giving the consumer control over their consents
● Lifecycle management of user profile and data sharing preferences
● Secure storage of profile data
● Anonymised syncing of profile data and connector-based integration to third-party systems
● Data residency and fractional replication
● ToS and privacy policy capture at registration and authentication time
● Social/federated sign-in● Social registration● Social consent
management
● Interoperable, user-driven, proactive and reactive sharing flows
© 2016 ForgeRock. All rights reserved.
This is not an “UMA proposal”• UMA is one enabler of a suite of potential capabilities
that build on our core platform strengths for a general strategic P&C capability
• But it is an important enabler that plays into:• Cloud (loose coupling of APIs/services for building partner
ecosystems)• Bilateral service<->user dialog required for ability to deliver
explicit consent (stronger definition of consent required by GDPR)
• Use cases especially favored by IoT use cases• We can call new/enhanced P&C capabilities/module(s)
anything we like
© 2017 ForgeRock. All rights reserved.
Technical Challenges
• Holistic single view of the customer• Consent sharing (legacy backend apps!)• New innovations and trust (Container, Micro Services,
Blockchain etc.)• Redesigning/Creating frontends/touchpoints• Keep customer data accurate and protected
© 2016 ForgeRock. All rights reserved.
Building a (bilateral) trusted digital relationship -- a high-level proposal
Single view of the customer Consent lifecycle management
Giving the customer context, control, choice, and
respect
• Existing platform has many strengths
• Benefits for compliance are under-marketed (can’t even attempt “right to be forgotten” if you don’t know where all the data is…)
• We don’t have packaged solutions targeted to P&C challenges, just a “bag of tools” (KC’s CIAM report)
• We don’t have direct P&C solutions today
• GDPR has some requirements here
• IDM, CAUD, and AM in concert have great potential
• Consent Receipts, OAuth, and UMA are relevant standards
• We have hints of solutions here (early UMA)
• GDPR has some requirements here
• UMA is a relevant standard
© 2016 ForgeRock. All rights reserved.
Patient selectively sharing IoT health data with doctors and other caregivers
Patient view Doctor view
© 2016 ForgeRock. All rights reserved.
Granular consented access by accountant to bank customer’s account data and transactions
12
© 2016 ForgeRock. All rights reserved.
Consent within IDM and Sync
© 2016 ForgeRock. All rights reserved.
ForgeRock
ForgeRock
ForgeRockIdentity
ForgeRock
Forgerock.com
Forgerock.com/blog
Thank you
© 2017 ForgeRock. All rights reserved.
Further Readings
• GDPR at ForgeRock• Webinar with Eve Maler• Introduction ForgeRock Identity Platform• The Role of Identity by Simon Moffatt