<img alt="" src="https://secure.norm0care.com/164647.png" style="display:none;">

Solutions

Accelerate your digital business with frictionless, secure and privacy protected identity management for consumers, business customers and employees.

Full Solutions

Industries

Many organisations across various industries rely on iWelcome for serving their users with secure authentication and identity lifecycle management.

About us

Founded in 2011, Welcome is Europe's 'green' leader in IAM solutions, with an innovative approach to Consent Lifecycle Management and top-class private cloud technology.

Resources

We love to share knowledge and news on digital identities and iWelcome’s products. There is food for thought for everybody, from geeks to rookies. We appreciate your feedback!

Transparency and the GDPR – Part 3 of 9

Corné van Rooij
December 22, 2017 at 4:13 PM

This is the third in a series of nine blog posts on how Consumer Identity and Access Management (CIAM) products can help organisations in their Compliance with the General Data Protection Regulation (GDPR). This blog is part of a series that cover important topics for CIAM experts who have an interest in the new EU regulations.

Article 5 of GDPR sets out a number of principles that organisations, so-called “data controllers,” must comply with when they process the personal data of consumers (and others), so-called “data subjects”. These principles form the core of the obligations to process the data “lawfully, fairly, and in a transparent manner in relation to a data subject”. Transparency has two requirements with respect to personal data - that organisations provide extensive information to people about the data and how it is used and that they give them control over it.

More control on Privacy will raise confidence in the new economy

The new requirements are a big step forward for those who have concerns about how their personal data is used and who is using it. Although legislation is currently in place to protect user data, most consumers do not feel that they actually have control over it. Because of the need to raise confidence in the new economy and to rapidly adopt new business models that make use of personal data, the privacy and protection of such data is an increasingly important issue. This is where GDPR comes in.

Transparency is key to building trust

Looking at transparency in the context of GDPR, controllers have to provide and consumers are entitled to receive the following information:

  1. Information that has been provided in a clear, concise, transparent, and easily accessible form, using unambiguous and plain language.
  2. Information concerning the intended purpose of processing the personal data, including the legal basis and legitimate interests pursued by the data controller and any third parties involved.
  3. Information concerning the way in which access rights to personal data is offered, how to have any errors in the data corrected or have the data removed, and how to object to certain ways of processing that data. An individual has the right to have any errors in the data corrected without delay and has the right to have information added to the data if it is incomplete.
  4. Information concerning any recipients to whom the data will be disclosed.
  5. The categories of data concerned and the type of processing (automated or not).
  6. The right to withdraw their consent at any moment and how to do this.
  7. The retention of the data (how long it will be kept).

How the “My Profile" page will evolve

All of this could be offered in an easy to find “My Page” that informs a consumer about all of the options for controlling personal data and provides instructions for altering information on that page dynamically. This type of page could serve as the central access point for a consumer to manage personal data in a user-friendly manner.

In addition to those already outlined, the following  obligations that fall into the “being transparent” GDPR category should be considered:

  • Any intention to transfer the data to another country and what level of assurance and control is given by that country must be communicated to the data subject.
  • The data subject must be informed of the right to raise complaints to the national data protection authority and their contact details must be provided.
  • The data subject must receive information concerning the identity and contact details of the data controller, his representative, and Data Protection Officer (where applicable).

This type of (generally static) information could also be placed on a consumer’s “My Page”  where it would be readily available for them and would make that page the place to offer the transparency that is requested in the GDPR.

There are a few other topics that have to do with transparency that I will cover on the next blog topic around “Profiling and automated decision making”.

The GDPR in all official European languages can be found here:
http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32016R0679

In a series of 9 blogs, we will dive deeper into the specific parts of the GDPR and their effect on CIAM. 

  1. Why CIAM will never be the same with GDPR
  2. Consent Management with GDPR in mind 
  3. Transparency and GDPR 
  4. Strict regulation of automated individual decision making.
  5. What is sensitive personal data?
  6. Privacy by Design & Data protection by Design.
  7. Special rights for the individual like “right to be forgotten”
  8. Data breach communication.
  9. Children's privacy under GDPR.

Feel free to repost this blog on your website! But when you do so, please be so kind to mention the source and give us a notice via marketing@iwelcome.com.

You May Also Like

These Stories on GDPR

Subscribe by Email