The European Union General Data Protection Regulation (GDPR) which took about 4 years of negotiation, is 200 pages long and was adopted in April of 2016. It will be in full force on the 25th of May 2018 for all EU countries, no ratification is needed. The GDPR succeeds the EU Data Protection Directive (officially EU Directive 95/46/EC) on the protection of individuals with the regard of processing personal data of European citizens and on the free movement of such data. The new law represents a fundamental shift in the balance of rights and obligations between consumers and businesses. There are a number of new elements to consider, including broader definitions of personal data and new rights for consumers in terms of data portability, requirements to notify customers - as well as authorities - of data breaches, and higher standards for obtaining and managing consent. While significant larger fines will apply when companies are not in compliance, the major shift in the law is about giving consumers control over their personal data.
So, in conclusion, you can’t get around it, and by the way, Brexit will not be finished by then so also UK citizens will be protected by this law.
GDPR and their effect on IAM blog series
In a series of 9 blogs, we will dive deeper into the specific parts of the GDPR and their effect on IAM.
What are the key differences between GDPR and EU Directive 95/46/EC
- The GDPR's definition of 'personal data' is more detailed. Information such as an IP address, cookie, RFID could be personal data.
- The GDPR applies to manual filing systems where personal data are accessible according to specific criteria. The scope is wider than the Directive 95/46 and could include chronologically ordered sets of manual records containing personal data.
- GDPR does not include any obligation to register with a regulating body.
- Under the GDPR consent must be 'freely given, specific and informed' - Silence, pre-ticked boxes or inactivity will not constitute consent.
- The GDPR includes a specific prohibition on the processing of criminal convictions (rather than 40 days0, which can be extendable by a further two months.
- Additional information will need to be provided, such as data retention periods and the right to have inaccurate data corrected.
- The GDPR set limits on the usage of "profiling" relating to generated computerised data analysis based on the automated processing of his/her personal data.
- Only allowed with the consent of the individual concerned, permitted by law or when needed to pursue a contract and cannot be based solely on automated processing - should comprise human assessment.
- Under the GDPR public authorities and organisations that control large data sets for their core business must designate a Data Protection Officer (DPO).
- A DPO can either be an internal or an external person. The DPO must take responsibility for compliance and have the knowledge, support and authority to do so effectively.
- Breaches have to be reported within 72 hours unless the data breach is unlikely to result in a risk to the right and freedom of natural persons.
- When there is a high risk from the breach, the controller must communicate the personal data breach to the subject without undue delay.
- Any person who has suffered damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered.
- Breach of the GDPR can result in fines of 20,000,000 or, if higher, up to 4% of worldwide turnover.
GDPR-compliancy can feel daunting, reach out today and let us help you get ready with a solid
Consumer IAM strategy
Building the foundation for GDPR
iWelcome CIAM with Consent Lifecycle Management as its core enables frictionless customer journeys at scale.
The General Data Protection Regulation (GDPR) carries huge challenges for companies. All business activities which include personal data must comply with the GDPR, consumers have extended rights under the GDPR and the scope and definition of what is personal data and how it can be used are changed.
Complying with these challenges requires businesses to do a full audit of their existing data protection policies, procedures and practices. This has a massive impact on IT - in particular on master data management of personal data, its attributes and related metadata and its processing.
The need for a single view of the customer is not new, but regarding GDPR compliance it has reached a new level of criticality and urgency. Consumer-facing lines of businesses have to build a culture of privacy to become trustworthy. It's a challenging task but has the potential to differentiate your organisation.
iWelcome equips you with a powerful CIAM platform providing the foundation and critical capabilities you need to build better and transparent value propositions, build a culture of privacy and for achieving compliance by the 2018 deadline.
iWelcome CIAM Proposition
The iWelcome CIAM service is the only IDaaS built with all the requirements of the European General Data Protection Regulation (GDPR) in mind, therewith delivering the foundation for privacy assurance and GDPR compliance as a standard part of our service. The iWelcome CIAM Service combines best-fit IAM capabilities with cloud identity and Consent Lifecycle Management from pseudonym to know to trusted identities at its core. It offers the basis for engagement with your consumers at any time and place in their journey: a single view on personal data - being transparent for the company as well as the consumer.
The service includes core capabilities such as user self-service, flexible attribute management, consumer profile & preference management, identity & marketing analytics, a Lifecycle API and technical security measures to build maximum flexibility into every step of the customer journey and to protect personal data.