This is the third blog topic (transparency) about the impact of the General Data Protection Regulation (GDPR) on Consumer IAM projects, part of a series where we touch on important topics for IAM experts interested in the new EU regulations.
Article 5 of GDPR sets out a number of principles that organisations, so-called “data controllers,” must comply with when they process the personal data of consumers (and others), so-called “data subjects”. These principles form the core of the obligations to process the data “lawfully, fairly, and in a transparent manner in relation to a data subject”. Transparency has two requirements with respect to personal data - that organisations provide extensive information to people about the data and how it is used and that they give them control over it.
More control on Privacy will raise confidence in the new economy
The new requirements are a big step forward for those who have concerns about how their personal data is used and who is using it. Although legislation is currently in place to protect user data, most consumers do not feel that they actually have control over it. Because of the need to raise confidence in the new economy and to rapidly adopt new business models that make use of personal data, the privacy and protection of such data is an increasingly important issue. This is where GDPR comes in.
Transparency is key to building trust
Looking at transparency in the context of GDPR, controllers have to provide and consumers are entitled to receive the following information:
- Information that has been provided in a clear, concise, transparent, and easily accessible form, using unambiguous and plain language.
- Information concerning the intended purpose of processing the personal data, including the legal basis and legitimate interests pursued by the data controller and any third parties involved.
- Information concerning the way in which access rights to personal data is offered, how to have any errors in the data corrected or have the data removed, and how to object to certain ways of processing that data. An individual has the right to have any errors in the data corrected without delay and has the right to have information added to the data if it is incomplete.
- Information concerning any recipients to whom the data will be disclosed.
- The categories of data concerned and the type of processing (automated or not).
- The right to withdraw their consent at any moment and how to do this.
- The retention of the data (how long it will be kept).
How the “My Page” will evolve
All of this could be offered in an easy to find “My Page” that informs a consumer about all of the options for controlling personal data and provides instructions for altering information on that page dynamically. This type of page could serve as the central access point for a consumer to manage personal data in a user-friendly manner.
In addition to those already outlined, the following obligations that fall into the “being transparent” GDPR category should be considered:
- Any intention to transfer the data to another country and what level of assurance and control is given by that country must be communicated to the data subject.
- The data subject must be informed of the right to raise complaints to the national data protection authority and their contact details must be provided.
- The data subject must receive information concerning the identity and contact details of the data controller, his representative, and Data Protection Officer (where applicable).
This type of (generally static) information could also be placed on a consumer’s “My Page” where it would be readily available for them and would make that page the place to offer the transparency that is requested in the GDPR.
There are a few other topics that have to do with transparency that I will cover on the next blog topic around “Profiling and automated decision making”.
The GDPR in all official European languages can be found here:
In a series of 9 blogs, we will dive deeper into the specific parts of the GDPR and their effect on IAM.
- Why IAM will never be the same.
- When should consent be requested?
- Why transparency is key to building trust.
- Strict regulation of automated individual decision making.
- What is sensitive personal data?
- Privacy by Design & Data protection by Design.
- Special rights for the individual like “right to be forgotten”
- Data breach communication.
- Children's privacy under GDPR.
Feel free to repost this blog on your website! But when you do so, please be so kind to mention the source and give us a notice via marketing@iWelcome.com
Corné van Rooij
VP Product & Strategic Alliances at iWelcome
Corné has been working in the security market for more than 20 years of which the last 15 years at two well known Identity Management Vendors.