This is the third blog topic about the impact of the General Data Protection Regulation (GDPR) on Consumer IAM projects, part of a series where we touch on important topics for IAM experts interested in the new EU regulations. The topic for this week is “Transparency”.
Article 5 of GDPR sets out a number of principles that organisations, so-called “data controllers,” must comply with when they process the personal data of consumers (and others), so-called “data subjects”. These principles form the core of the obligations to process the data “lawfully, fairly, and in a transparent manner in relation to a data subject”. Transparency has two requirements with respect to personal data – that organisations provide extensive information to people about the data and how it is used and that they give them control over it.
More control on Privacy will raise confidence in the new economy
The new requirements are a big step forward for those who have concerns about how their personal data is used and who is using it. Although legislation is currently in place to protect user data, most consumers do not feel that they actually have control over it. Because of the need to raise confidence in the new economy and to rapidly adopt new business models that make use of personal data, the privacy and protection of such data is an increasingly important issue. This is where GDPR comes in.
Transparency is key for building trust
Looking at transparency in the context of GDPR, controllers have to provide and consumers are entitled to receive the following information:
How the “My Page” will evolve
All of this could be offered in an easy to find “My Page” that informs a consumer about all of the options for controlling personal data and provides instructions for altering information on that page dynamically. This type of page could serve as the central access point for a consumer to manage personal data in a user-friendly manner.
In addition to those already outlined, the following obligations that fall into the “being transparent” GDPR category should be considered:
This type of (generally static) information could also be placed on a consumer’s “My Page” where it would be readily available for them and would make that page the place to offer the transparency that is requested in the GDPR.
There are a few other topics that have to do with transparency that I will cover in the next blog topic around “Profiling and automated decision making”.
The GDPR in all official European languages can be found here:
Corné van Rooij
VP Product & Strategic Alliances at iWelcome
Corné has been working in the security market for more then 20 years of which the last 15 years at two well known Identity Management Vendors.
Feel free to repost this blog on your website! But when you do so, please be so kind to mention the source and give us a notice via Sales@iWelcome.com