implications of gdpr in conjunction with uma

© 2017 ForgeRock. All rights reserved.

GDPR

@hannsnolan

ForgeRock Identity Platform!

some of the more identity related components of the GDPR


significant penalties for GDPR infractions start on

May 25, 2018.


GDPR is different, and FR is different• GDPR applies to every organization selling to or

monitoring anyone in the EU• GDPR has a firm deadline (May ‘18), high penalties

(4% of global turnover), and high aspirations (human rights)

• Privacy tools assess/ensure compliance• GDPR tools target risk teams• We sell to digital teams

• Who need to own and drive this challenge -- quickly -- so that it becomes a triumph vs. a tragedy


Impact of GDPRsome of the more identity related components of the GDPR

• Consent for processing personal data• Proof of Consent (data & processing!) • Consent per purpose (including revocation)• DPO (Data Protection Officer) are required (e.g. external)• DPIAs (Data Protection Impact Assessment) under certain cir.• Data breach notification within 72 hours• Massive data control rights (forgotten, freeze, export rights)• Privacy by default• PLUS organizational/other requirements (out of scope here)


What to take care of?

• Personal Data• where is your data? -> least privileged? encryption?

• Lawful Processing• law and IDM? YES -> user consent driven!

• Individual's Right to Rectification, Export and Erasure• new requirement! Big challenger: export, erasure

End user dashboards, registration journeys and consent frameworks will need updating!


What is to do?

End user dashboards, registration journeys and consent frameworks will need updating.

Don't see it as a compliance exercise!The interesting aspect, is that privacy is now becoming a competitive differentiator.


A holistic view of theForgeRock Identity Platform

Identity data governance; single view of the consumer

Giving the consumer a single view of their consents

Giving the consumer control over their consents

● Lifecycle management of user profile and data sharing preferences

● Secure storage of profile data

● Anonymised syncing of profile data and connector-based integration to third-party systems

● Data residency and fractional replication

● ToS and privacy policy capture at registration and authentication time

● Social/federated sign-in● Social registration● Social consent

management

● Interoperable, user-driven, proactive and reactive sharing flows


This is not an “UMA proposal”• UMA is one enabler of a suite of potential capabilities

that build on our core platform strengths for a general strategic P&C capability

• But it is an important enabler that plays into:• Cloud (loose coupling of APIs/services for building partner

ecosystems)• Bilateral service<->user dialog required for ability to deliver

explicit consent (stronger definition of consent required by GDPR)

• Use cases especially favored by IoT use cases• We can call new/enhanced P&C capabilities/module(s)

anything we like


Technical Challenges

• Holistic single view of the customer• Consent sharing (legacy backend apps!)• New innovations and trust (Container, Micro Services,

Blockchain etc.)• Redesigning/Creating frontends/touchpoints• Keep customer data accurate and protected


Building a (bilateral) trusted digital relationship -- a high-level proposal

Single view of the customer Consent lifecycle management

Giving the customer context, control, choice, and

respect

• Existing platform has many strengths

• Benefits for compliance are under-marketed (can’t even attempt “right to be forgotten” if you don’t know where all the data is…)

• We don’t have packaged solutions targeted to P&C challenges, just a “bag of tools” (KC’s CIAM report)

• We don’t have direct P&C solutions today

• GDPR has some requirements here

• IDM, CAUD, and AM in concert have great potential

• Consent Receipts, OAuth, and UMA are relevant standards

• We have hints of solutions here (early UMA)

• GDPR has some requirements here

• UMA is a relevant standard


Patient selectively sharing IoT health data with doctors and other caregivers

Patient view Doctor view


Granular consented access by accountant to bank customer’s account data and transactions

12


Consent within IDM and Sync


ForgeRock

ForgeRock

ForgeRockIdentity

ForgeRock

Forgerock.com

Forgerock.com/blog

Thank you

https://www.google.com/url?q=https://www.youtube.com/user/ForgeRock&sa=D&ust=1496846523838000&usg=AFQjCNH5yyL9MGSIWYPLBvKfHcs55XuqEg


Further Readings

• GDPR at ForgeRock• Webinar with Eve Maler• Introduction ForgeRock Identity Platform• The Role of Identity by Simon Moffatt

https://www.google.com/url?q=https://www.forgerock.com/identity-solutions/gdpr/&sa=D&ust=1496846524872000&usg=AFQjCNF-cZfUqU5qsuw4FNa9ja83mQSRtg

https://www.google.com/url?q=https://www.forgerock.com/identity-solutions/gdpr/&sa=D&ust=1496846524873000&usg=AFQjCNEsuS9MvcrE_UrubFn9E7YQisTEOw

https://www.google.com/url?q=https://go.forgerock.com/Resolving-Privacy-Challenges.html&sa=D&ust=1496846524873000&usg=AFQjCNF0ODo3OuptkhJYp0X4ypakuzuTeg

https://www.google.com/url?q=https://go.forgerock.com/Resolving-Privacy-Challenges.html&sa=D&ust=1496846524873000&usg=AFQjCNF0ODo3OuptkhJYp0X4ypakuzuTeg

https://www.google.com/url?q=https://www.forgerock.com/platform/&sa=D&ust=1496846524873000&usg=AFQjCNEPf_EVQDjurz6oPDzaCSRVNfV7Vg

https://www.google.com/url?q=https://www.forgerock.com/platform/&sa=D&ust=1496846524874000&usg=AFQjCNF2bkFLIRpEAqGIfaqcjkdPeUOE9g

https://www.google.com/url?q=https://www.forgerock.com/blog/the-role-of-identity-management-in-the-gdpr/&sa=D&ust=1496846524874000&usg=AFQjCNF50AfY_1HyALODfjb3EnYYNlLESA

https://www.google.com/url?q=https://www.forgerock.com/blog/the-role-of-identity-management-in-the-gdpr/&sa=D&ust=1496846524874000&usg=AFQjCNF50AfY_1HyALODfjb3EnYYNlLESA

implications of gdpr in conjunction with uma

Technology