ciam guide to addressing gdpr requirements
TRANSCRIPT
CIAM Guide to Addressing GDPR Requirements
At nearly 300 pages, the GDPR is a mountain of complex regulation that businesses must climb to survive – this guide
will help you plan your best route to the top.
RIGHT TO BE FORGOTTEN
RIGHT TO EXPORT
NOTIFICATION MANAGEMENT
CONSENT MANAGEMENT
FAIR PROCESSING
CROSS-BORDER PRACTICES
DEFINING PII
2
Table of ContentsTable of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
To Prepare for the GDPR, Think “Privacy by Design” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
About the General Data Protection Regulation (GDPR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
CIAM Takes Hold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Trust — or Bust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Privacy by Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
What is the Potential Impact of the GDPR? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 On Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
On IT Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Understanding Compliance – At A Glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Consent Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Customer Data Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Data Localization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Social Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Data Privacy Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Understanding GDPR Compliance - By the Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Article 7: Customer Consent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Article 15: Right of Access by the Customer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Article 16: Right to Rectification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Article 17: Right to be Forgotten . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Article 18: Right to Restriction of Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Article 28 (3)(G): Deletion of Inactive Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Article 8: Conditions Applicable to a Child’s Consent in Relation to Information Society Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
More Regional Data Privacy Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Data Localization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Gigya’s Russian Data Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Gigya’s China Data Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
The Gigya Privacy by Design Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
How does it work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
In Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3
To Prepare for the GDPR, Think “Privacy by Design”You may have noticed that the topic of data privacy and security is no longer limited to the back-office . As corporate strategy becomes increasingly reliant on digital technologies, consumer data has become the chief currency of business in a marketplace where customer experience is edging out price and even product quality as the prime differentiator for brands . But many consumers harbor a growing wariness about how and why businesses are using their personal information .
For example, a 2017 survey1 by Gigya of more than 4,000 adults in the U .S . and UK turned up some important insights into people’s feelings about online security and privacy, including these statistics:
• Sixty-eight percent of respondents don’t trust brands to appropriately handle their personal information, such as name, email, location or marital status .
• Sixty-nine percent of respondents are worried about device security and privacy risks with increased adoption of IoT devices .
• Seventy percent of respondents use seven or fewer passwords across their many online accounts, indicating poor password habits .
Governments, regulators, voters and consumer advocates across the globe are demanding an overhaul of consumer protection laws, resulting in a wave of privacy legislation that is changing the game for the digital enterprise . The most notable of these new decrees is the European Union’s General Data Protection Regulation (GDPR) .
About the General Data Protection Regulation (GDPR)This comprehensive document was created with input from multiple EU member states and has robust enforcement mechanisms . The GDPR was designed not only to standardize privacy practices across the EU, but to influence how countries outside the EU design their own legislation around data protection and privacy . Importantly, the GDPR applies not only to data captured and processed by EU-based businesses, but also to any organization outside the EU that processes the personal data of EU consumers in order to offer goods or services to them . The regulation officially goes into effect on May 25th, 2018 .
1 Gigya, The 2017 State of Consumer Privacy and Trust https://www .gigya .com/resource/report/2017-state-of-consumer-privacy-trust/
4
What’s New? What’s Different?
The new law represents a fundamental shift in the balance of rights and obligations between consumers and businesses . There are a number of new elements to consider, including broader definitions of personal data and new rights for consumers in terms of data portability, requirements to notify customers — as well as authorities — of data breaches, and higher standards for obtaining and managing consent .
While significantly larger fines will apply when companies are not in compliance, the major shift in the law is about giving consumers control over their personal data .
PII Versus Personal Data — A Broader Definition
Personally Identifiable Information (PII), a commonly used term in North America, refers to a relatively narrow range of data such as name, address, birth date, Social Security number and financial information such as credit card numbers or bank accounts .
Personal data, in the context of GDPR, covers a much wider range of information . The definition includes all tracking data which enables identification of consumers . For example, the aspect of “indirect identification” means that data gathered using cookies could be considered personal data . Also included in the definition are social media posts, photographs, lifestyle preferences, transaction histories and IP addresses .
CIAM TAKES HOLDCustomer identity and access management (CIAM) solutions can be considered important to help businesses address their obligations under GDPR . For years, most online marketing was done anonymously, marketing to IP addresses — not individuals — using tracking cookies, behavioral targeting networks and Data Management Platforms, without the use of consumers’ personally identifiable information (PII) .
Under the GDPR the definition of “personal data” has been expanded to include attributes not traditionally considered personally identifiable information (PII) . More importantly, the conditions for consent have been expanded to include obligating businesses to obtain unambiguous and verifiable consent from their customers for the processing of their personal data .
Addressing these requirements usually falls outside the core competencies of systems designed to manage anonymous, third-party data . This is driving a new trend in digital strategy, with businesses leveraging CIAM solutions to encourage consumers to identify themselves online in transparent and fair exchanges of value for information, under conditions of trust and security . CIAM solutions also enable businesses to maintain customer data in one place, while addressing GDPR requirements to keep granular records on consent .
BUSINESSES IN THE UK WILL BE SUBJECT
TO GDPR DURING THE BREXIT PROCESS,
AFTER WHICH THE INFORMATION
COMMISSIONER’S OFFICE HAS SET
EXPECTATIONS THAT WHATEVER
REPLACES THE LAW WILL BE “ESSENTIALLY
EQUIVALENT.”
5
TRUST — OR BUSTWhile it’s clear that customer identity is now the core of digital marketing, it’s important to bear in mind that identity is not binary and there can be many steps between an unknown visitor and a known customer . Today’s savvy and mobile customers are free to engage with brands from a growing range of devices and channels, but overall are searching for convenience, value and consistency . The new customer journey can begin at any time or place, and certainly doesn’t end at purchase or conversion .
This is why the most successful businesses are incentivizing engagement by offering value propositions such as premium content or exclusive promotions to online visitors and ensuring that, once converted, customers can easily edit, amend, delete and freeze processing of their personal data, or rescind their consent to store and use it .
Gigya’s Customer Identity Management platform enables businesses to progressively build and manage rich customer identities and relationships throughout the entire buyer lifecycle . Built specifically for the enterprise, our platform helps clients address GDPR requirements and mitigate the risk of non-compliance by providing a centralized system for managing customer data and consent across all marketing channels and devices .
PRIVACY BY DESIGNGigya’s CIAM platform provides customer registration, login and preference management, often across multiple digital properties, in order to build rich customer profiles . These profiles can be used for profile and consent management, enabling businesses to control their captured consumer personal data in a transparent and centralized manner across many sites and apps . In order to do this consistently and at massive scale, Gigya employs a set of technical, strategic and design principles known as “Privacy by Design .”
Privacy by design, a collection of data privacy best practices (as defined at the end of this document), is built into the Gigya platform, woven through our technical implementation and product design and taught to our clients as foundational principles
through GigyaWorks Global Services workshops . Privacy by design elements include consent management strategy, data auditing, data extraction, data deletion, freezing of data processing and more .
Using these principles, Gigya’s CIAM platform can help businesses address many of the requirements of the GDPR and other data protection and privacy regulations . These best practices are based on self-assessments from clients’ legal and business teams, and are important for delivering transparency and control to customers regarding their personal data .
PRIVACYBY DESIGN
7 Foundational
Principles
Proactive not
Reactive;
Preventative not Remedial
Privacy as the Default
Setting
Privacy Embedded into Design
Full Functionality – Positive-Sum, not Zero-Sum
Visibility and Transparency –
Keep it Open
End-to-End Security – Full
Lifecycle Protection
Respect for User Privacy –
Keep it User-Centric
6
What is the Potential Impact of the GDPR?
ON BUSINESSThis new regulation will introduce a range of requirements that will have significant impacts on organizations, but the component most likely to draw attention from the C-suite is the provision on penalties and fines . In a stark departure from previous data privacy legislation in Europe or elsewhere, the GDPR authorizes regulators to levy steep fines of up to €20 million or four percent of annual revenue, whichever is higher .
ON IT INFRASTRUCTURE
Are You Agile Enough?
Understanding how customers’ personal data is stored and processed across your entire digital ecosystem will likely require a deep assessment of your technology stack to determine whether your system is flexible enough to consistently obtain, track and accurately report on customers’ profiles, preferences and consent . Importantly, this must be done across every channel, device and stage of the buyer journey, and across every marketing, sales and service application processing customer data . Does your customer identity management solution have the agility to consistently manage new deployments that have addressed GDPR requirements and that optimize customer experience? For example:
• Can you add new attributes to registration and login forms and the associated back-end components in a consistent and timely fashion?
• Do you have a detailed audit trail that you can easily query to confirm opt-ins on e-shops, portals and apps?
• Do you have enhanced profile management (“My Account”) screens that allow self-service access for customers to view, edit, download, delete and freeze processing of their personal data?
Are You Fully Connected?
Large, cloud-driven stacks have a lot of downstream dependencies for any changes made to a self-service customer profile . For example, whether a customer wants to opt out of a newsletter on your website, the terms of service change for your mobile app, or for any number of other actions for which the GDPR requires consent to be obtained, mechanisms
Estimated number of new Data Protection Officers
required in Europe (IAPP study 20162)
28,000
Cost of a 4% fine to a company
with $500m turnover
$20m
New requirements in the GDPR
80+
Core individual rights afforded under the GDPR
7Potential fines as a
percentage of global turnover
4%
Countries potentially in scope
of the regulation
190+
Hours given to report a
data breach
72
2 Source: International Association of Privacy Professionals: https://iapp .org/news/a/study-at-least-28000-dpos-needed-to-meet-gdpr-requirements/
7
must be in place to notify every applicable downstream application so they always reflect the current state of the profile . Ask yourself these questions:
• Are you storing customer consent — wherever it is given — in a centralized way?
• Do you have mechanisms in place for downstream notifications — such as flexible ETL functionality and customizable webhooks — to enable bi-directional syncing of consent across every marketing, sales and service application in both batch mode and real-time, depending on the application?
Are You Fully Unified?
If your profile and consent data exists in silos — such as ESP, CRM and DMP systems — with no easy way to send or receive notifications about changes to profiles or preferences, it’s both hard to know if you’re in compliance and easy to fall out of compliance without warning . It’s also a challenge to fully understand complete digital customer journeys, and perhaps impossible to synchronize data across the entire tech stack . This is often the case for businesses which have not yet implemented a dedicated customer identity management solution . For example, ask yourself:
• Do you maintain one profile database for subscription management in your ESP solution and another for your CRM platform? Are you able to synchronize these records and do you have a single source of truth?
• Are you using your DMP to drive media activation and optimization with third-party data?
• Are all these attributes consistently unified to provide an accurate view of each customer’s consent and preferences across the business?
Understanding Compliance - At A GlanceLet’s look into key considerations when assessing data privacy and compliance for the GDPR and other regulations around the globe .
CONSENT MANAGEMENTShould consent be determined to be the lawful basis for processing personal data, the GDPR requires that any mechanism for obtaining consent arguably goes far beyond current practices . Businesses must allow customers to easily modify their consent preferences .
Some of the consent management functions Gigya’s platform provides include:
• Storing consent for terms of service (TOS) and the specific version of TOS at the time consent was granted
• The ability to prompt customers to re-grant consent if TOS change
• Detecting a customer’s age and preventing login if they are under the legal age of consent
• Triggering parental consent to accept customers below a minimum age
Consent Management
Customer Data
Control
DataLocalization
SocialCompliance
DataPrivacy
Regulations
8
CUSTOMER DATA CONTROLGDPR requires businesses to give individuals control over their personal data, including the ability to view, freeze, download and delete their personal data . Gigya’s platform provides:
• The ability for customers to easily update, export, and delete their profile and preference data
• The ability to freeze or deactivate an account
DATA LOCALIZATIONRegional data localization laws, such as the Russian Federation’s Personal Data Protection Act, generally require companies collecting personal data of citizens in that country to process and store that personal data within the country . Gigya helps clients address such laws with regional data centers in North America, Europe, Australia, Russia and China .
SOCIAL COMPLIANCESocial networks like Facebook and Twitter have legal terms applicable to businesses when they implement Social Login on their digital properties . For example, upon each login, businesses are required to keep the customer’s profile in sync with profile and preference data on each social network . Gigya’s platform:
• Manages TOS for more than 25 social networks and other identity providers
• Syncs personal data in real time between social networks and customer profiles
• Deletes non-public data, according to customer permissions
DATA PRIVACY REGULATIONSThere are a number of other data privacy regulations and laws around the world that may be applicable to businesses with respect to their customers’ personal data . Gigya’s Customer Identity Management platform features are designed to help businesses address the requirements of these various laws and regulations with respect to data privacy and personal data .
Consent Management
Customer DataControl
DataLocalization
SocialCompliance
DataPrivacy
Regulations
Customer Data
Control
Consent Management
DataLocalization
SocialCompliance
DataPrivacy
Regulations
Customer Data
Control
Consent Management
DataLocalization
SocialCompliance
DataPrivacy
Regulations
Customer Data
Control
Consent Management
DataLocalization
SocialCompliance
Data PrivacyRegulations
9
Anti-Spam Regulations:
Regional anti-spam laws have various opt-out requirements regarding certain marketing activities . Gigya’s CIAM Platform:
• Provides default support in our Registration-as-a-Service (RaaS) solution’s user interface for opt-in and opt-out options, as well as custom support for opt-down
• Enables businesses to configure country-specific custom rules for each digital property
• Helps businesses address the anti-spam requirements of various countries by offering registration, login and preference management screens that can be configured to include specific opt-in functionality
Children’s Privacy
Gigya’s CIAM platform functionality allows businesses to ask online visitors to confirm their age and can prevent registration if that individual is below the legal age of consent in their country . Gigya can also support auto-deletion of the records of users below a particular age .
Accessibility Compliance
Gigya CIAM platform allows business to use out-of-the-box workflows that allow visually-impaired customers to navigate online processes using only their keyboards to address some of the requirements of the Web Content Accessibility Guidelines (WCAG) and the Americans with Disabilities Act (ADA) .
Gigya Facilitates Support for many Regulations
REGULATIONS
GDPR EU
COPPA US
Data Residency RU, CN
Privacy Shield EU-US
Privacy Bill of Rights US
Various Anti-Spam Acts CA, US, EU
Web Content Accessibility Guidelines Global
Health Insurance Portability and Accountability Act US
10
Understanding GDPR Compliance – By the Numbers
ARTICLE 7: CUSTOMER CONSENT
7(2) Consent
Consent must be explicit and unambiguous and must be obtained for each different processing activity .
How Gigya’s CIAM can Help
Gigya’s registration forms are 100% customizable via UI builder, extensible markup language, or direct API access, allowing Gigya’s clients to obtain separate instances of consent in order to provide:
• A lawful basis for processing (consent)
• Privacy policy and TOS adherence
• Marketing and account preferences
7(1) Consent Documented
Businesses must provide records of the customer’s consent, including the conditions under which each customer has given their consent and the specific purpose for which consent was obtained . For example:
• When creating new accounts: A customer clicks a register now button, creates a new account and clicks to accept TOS .
• When reaccepting updated TOS: A customer logs out, later logs back in and is asked to accept new TOS .
• When opting in or out: A customer clicks into “My Account” and opts in or out of newsletters, events or other available options .
How Gigya’s CIAM Platform can Help
To manage evidence of consent across the entire customer journey, Gigya obtains and stores first-party metadata via registration forms, including for the intended use of data .
7(3) Right to Withdraw Consent
Customers must be able to easily withdraw consent for the collection or processing of their personal data at any time .
How Gigya’s CIAM Platform can Help
Through Gigya’s Profile Management system, customers can quickly and easily access their consent preferences at any time to change or withdraw consent . Additionally, Gigya’s integrations with email service providers and marketing automation solutions are bi-directionally synchronized . This means that any changes to opt-outs on third-party applications are reflected on customers’ Gigya profiles as well, enabling truly centralized consent management .
11
ARTICLE 15: RIGHT OF ACCESS BY THE CUSTOMERCustomers must be able to be view, export and edit their personal data at any time . Also, customers have the right to be provided with information about all personal data stored by the applicable businesses .
How Gigya’s CIAM Platform can Help
Gigya’s clients can enable their customers to view and edit all of their personal data via profile screens . This includes not only data collected by Gigya, but also information from client-requested integrations between third-party solutions and our Profile Management database .
ARTICLE 16: RIGHT TO RECTIFICATIONCustomers must be able to easily change profile and opt-in preferences or correct inaccurate information stored by any business on their behalf . Customers must also be able to request that changes be made to their profiles and preferences by the business on their behalf, in a reasonable amount of time and via a simple communication method such as email .
How Gigya’s CIAM Platform Helps
Gigya provides profile update forms to enable customers to edit their marketing opt-ins and account preferences . A client administrator can also update this information on the customer’s behalf via Gigya’s Admin Console using the Identity Access tool . In addition, our integrations with email and marketing automation tools are bi-directional, updating
customer records with any opt-outs initiated via third-party platforms .
ARTICLE 17: RIGHT TO BE FORGOTTENCustomers have the “right to be forgotten” — that is, have their personal data erased by the business, for reasons that include:
• The information is no longer necessary to fulfill the purposes for which it was originally collected .
• The customer withdraws consent for the business to perform the activity for which the processing is based .
• The customer objects to the purpose for personal data processing and the business cannot provide compelling, legitimate grounds to continue doing so .
• The customer’s personal data was collected or processed unlawfully .
• The customer’s personal data must be erased in order to comply with a legal obligation of that person’s country of origin .
12
How Gigya’s CIAM Platform can Help
Gigya’s CIAM platform features a delete mechanism for customer profiles that is easily accessible by registered customers . Console administrators can also delete profiles upon customers’ request . Gigya is also able to delete profile information on synchronized downstream applications using customizable webhooks and flexible ETL functionality when a customer deletes an account in a Gigya profile screen .
ARTICLE 18: RIGHT TO RESTRICTION OF PROCESSINGCustomers have the right to request that businesses freeze processing of their personal data for any of the following reasons:
• The customer contests the accuracy of their personal data . In this case, processing of the customer’s personal data must cease for the period required to verify the accuracy of the information .
• Personal data processing is deemed unlawful and the customer requests that their data be frozen rather than deleted .
• The business is no longer processing the customer’s personal data, but the customer requires that the personal data continue to be stored by the business to establish, exercise or defend legal claims .
• The customer has objected to processing of their personal data . In this case, the personal data should not be processed until the business’ grounds for processing are verified as either legitimate or illegitimate .
Businesses are also required to inform customers before beginning the processing of personal data after a restriction is lifted .
How Gigya’s CIAM Platform can Help
Gigya’s clients can easily tag individual profiles as inactive when their customers request to have their accounts frozen . In this case, login is prevented automatically and tagged customers can be filtered out of any processing activity . Clients can leverage customizable webhooks and ETL functions to help ensure that profiles are updated on third-party solutions as well .
13
ARTICLE 28 (3)(G): DELETION OF INACTIVE DATAThe GDPR requires that businesses purge a customer’s personal data if the customer deletes their profile, or if that profile has been inactive for a predetermined amount of time . All copies of such data must be purged as well, unless otherwise specified by law . Associated data must also be purged from any third-party technologies, such as
CRM or ESP solutions .
How Gigya’s CIAM Platform can Help
When a customer’s account has been inactive for a predetermined amount of time, or if a customer chooses to delete their account information, that data is automatically purged from Gigya’s database after a contractually mandatory 60-day period via scripts that can be customized by clients .
ARTICLE 8: CONDITIONS APPLICABLE TO A CHILD’S CONSENT IN RELATION TO INFORMATION SOCIETY SERVICESThe GDPR prohibits businesses collecting and processing the personal data of minors without the express consent of a parent or guardian . The regulation defines the age of consent as 16 within the EU, and not below 13 elsewhere . Businesses are required to make reasonable efforts to verify the age of online users before processing their data, taking into account available technology .
How Gigya can Help
Gigya’s clients are able to customize their implementations to ask an online visitor’s age and prevent registration if that person is below the legal age of consent in their country . Gigya can also support auto-deletion of the records of users below a particular age . Additionally, Gigya’s clients can include parental consent forms to their registration and login screens .
14
More Regional Data Privacy Regulations
DATA LOCALIZATIONA number of countries have data localization regulations, notably Russia and China, which generally require that personal data of their citizens collected in their respective countries be processed and stored within their respective national borders .
Gigya’s Russian Data Center
To help its clients address the Russian data localization requirement to process and store personal data of its citizens in Russia, Gigya opened a data center located in Russia in 2016 .
Gigya’s China Data Center
Gigya opened a cloud-based data center in Shanghai in April, 2017 . Personal data stored in China will remain discrete from that stored in Gigya’s other four data centers . Personal Data is replicated in real time between two separate data centers within China, and each server role operates in a cluster to eliminate a single point of failure . The Chinese data center is certified for ISO27001, ISO27018, SOC 1 and SOC 2 .
A Global Footprint
All Gigya’s data centers operate with fully redundant capacity and incorporate disaster recovery capability at a regional level . Gigya’s world-spanning data infrastructure helps our large digital enterprise clients to drive complex, multi-national strategies while keeping up with a constantly evolving regulatory landscape .
North America
Europe Russia
Australia
China
SOCaicpa.org/soc
Formerly SAS 70 Reports
AIC
PA S
ervic
e Organization Control Reports
S E R V I C E O R G A N I Z AT I O N S
15
The Gigya Privacy by Design ProgramIf your business is preparing to address the new requirements of the GDPR, Gigya can help you clear a path to compliance . The Gigya Privacy by Design Program, delivered by GigyaWorks Global Services, uses an iterative methodology to assess your business’ CIAM needs and help you prepare for GDPR compliance . Built on knowledge gained from hundreds of enterprise deployments around the globe, this comprehensive program is tailored specifically for your business needs today and geared to prepare you for the future .
How does it work?
This thorough program offers onsite client engagements and customized-per-client documentation from the GigyaWorks Global Services team to support the implementation of privacy by design best practices for our clients’ CIAM business initiatives . The GigyaWorks team leverages an iterative methodology to help your team achieve rapid and and effective results .
• Client Technical Readiness Self Assessment: In preparation for the Privacy Strategy workshop, Gigya will equip clients’ legal and business teams with a self-service GDPR Technical Readiness Self Assessment Checklist . The results are intended to clearly define which regulations apply to the business and which CIAM functions to prioritize in order to quickly and efficiently prepare for GDPR compliance .
• Privacy by Design Strategy Workshop: The GigyaWorks Global Services team will work onsite with clients’ legal and business teams to define which customer identity management best practices and strategies are required to meet GDPR compliance in advance of implementation .
16
• Privacy by Design Blueprint: Based on the outcome of the Self Assessment and the Privacy Strategy Workshop, a “Privacy by Design Blueprint” will be produced by the Gigya Global Services team as a central guide for implementation .
• Privacy by Design Implementation: Driven by the Privacy by Design Blueprint, the delivery and services teams will help to implement the required features to ensure a GDPR compliant customer identity management implementation .
• Privacy by Design Quality Assurance Review: Following implementation, the GigyaWorks Global Services Team will perform a quality assurance review to verify that all requirements have been implemented using best practices .
Don’t fight your way through this challenging phase on your own . Let Gigya help you build a brighter future for your business through customer identity!
To learn more about the Gigya Privacy by Design program, download our data sheet .
In ConclusionWhile no one can say for certain what full impact and influence the GDPR will have once it takes effect, it’s safe to say the future of digital business will look quite different than it does today . After all, the EU Commission is trying to reflect the will of consumers in this sweeping regulation and, ultimately, it’s consumers who should decide if, when and how their personal information is collected by businesses and used to drive revenue .
Our platform, implementation methodology and approach is built on privacy by design principles . Our goal with each rollout of our enterprise-class platform is to create flexible, scalable and secure customer identity solutions for our clients . We want to enable them to use Gigya’s CIAM platform features and functionality to help address GDPR requirements while providing transparent and seamless experiences to their customers, to build lasting trust that pays off in lifelong brand loyalty .
We created this executive summary to show you how Gigya’s CIAM platform can help you address GDPR requirements . We want you to know that when it comes to meeting these new requirements for collecting and managing customers’ personal data, Gigya is here to help . We can act as your customer identity management advisors as you begin your journey toward GDPR compliance — from planning, to implementation, to ongoing strategy for every new deployment in your future .1
To learn more about the Gigya’s Customer Identity Management platform, visit www .gigya .com .
* Disclaimer
The material contained in this document is for general information purposes only and does not constitute legal or other professional advice . Specific legal advice should be sought on any particular matter including but not limited to GDPR . Any and all information is subject to change without notice . No liability whatsoever is accepted by Gigya, Inc . for any action taken in reliance on the information in this document .
© 2017 Gigya, Inc. | 2513 Charleston Road #200, Mountain View, CA 94043 | T : (650) 353.7230 | www.gigya.com
Gigya, the Gigya logo, and Customer Identity Management Platform are either registered trademarks or trademarks of Gigya Incorporated in the United States and/or other countries. All other trademarks are the property of their respective owners. Gigya does not own any end user data or maintain any other rights to this data, other than utilizing it to make Gigya’s services available to our clients and their end users. Gigya acts as an agent or back-end vendor of its client’s website or mobile application, to which the end user of our client granted permissions (if applicable). Gigya facilitates the collection, transfer and storage of end user data solely on behalf of its clients and at its clients’ direction. For more information, please see Gigya’s Privacy Policy, available at http://www.gigya.com/privacy-policy/.
Gigya_CIAM_Guide_to_Addressing_GDPR_Requirements_201706
The Leader in Customer Identity Management
About Gigya
Gigya’s Customer Identity Management Platform helps companies build better customer relationships by turning unknown site visitors into known, loyal and engaged customers. With Gigya’s technology, businesses increase registrations and identify customers across devices, consolidate data into rich customer profiles, and provide better service, products and experiences by integrating data into marketing and service applications.
Gigya’s platform was designed from the ground up for social identities, mobile devices, consumer privacy and modern marketing. Gigya provides developers with the APIs they need to easily build and maintain secure and scalable registration, authentication, profile management, data analytics and third-party integrations.
More than 700 of the world’s leading businesses such as Fox, Forbes, and ASOS rely on Gigya to build identity-driven relationships and to provide scalable, secure Customer Identity Management.
To learn how Gigya can help your business manage customer identities, visit gigya.com, or call us at 650.353.7230.