CIAM systems can be configured to help to get your organisation within the compliance zone of GDPR and other privacy-based regulations. Credit: Thinkstock If you wake up in a cold sweat in the middle of the night with the letters GDPR floating just above your bed, then fear not — Customer Identity Access Management (CIAM) is your knight in shining armor.I don’t need to tell those of you working with personal data that the GDPR is nuanced and the language can be complex. Although it may be a veritable minefield, it is meant to do good. One of the opening statements of the final version of the GDPR is:“The processing of personal data should be designed to serve mankind.“That is quite a bold and ambitious statement. In turn, it needs a bold and ambitious reply. To this end, I am proposing that using a Customer Identity Access Management (CIAM) can have much of the elements needed to meet GDPR compliance when dealing with a person’s data. It’s how you use it that counts.When good CIAM meets the GDPRLet’s look at some of the areas of the GDPR and where CIAM can meet the requirement when dealing with personal and more ‘special’ data: Collection of identity data and data minimization: A digital identity is a very useful thing. If you can prove who you are to an online service, likely that service will feel pretty good about giving you access to some resource or other. During registration, normally, you give your personal details such as name, address, even date of birth. It is very difficult to get away from some variant of personal data collection to create a digital ID. However, you do have options to minimize its use:During registration: The service collects the data only to verify the user against other data sources while in that session, but does not retain the data. Instead, the system sets that person as being verified at a given time – you can still do ad-hoc periodic checks in the same manner if needs be. Blockchain or traditional database technology can be used to store assurance levels against time.During access: If you do collect and store data, the user need not reveal the full extent of this information to the service. For example, they can show they are over or under a certain age without revealing their date of birth or live in a certain locality without revealing their full address.Consenting to use data for marketingOK, so some companies really need to have information and can’t avoid it. If I buy something on Amazon, it kind of helps to have my postal address. But these are some considerations within marketing that a CIAM system should offer:Minimize data: If you don’t really need it, don’t collect it. Often marketing is targeted at a specific audience, rather than individual. You can get as much data to market, knowing an individual lives in or near a certain city, as you can from their address. Or the fact they are over 21 rather than their full date of birth. Setup the service to only receive the minimum of information needed.Consent to target – active consenting: The best person to market to, is those that are already engaged. A CIAM system can be designed to not only verify a person’s identity but to also actively engage them with your organization. If the CIAM system has been designed as truly customer-centric, it will be built with an intrinsic consent model system. You can extend this to take preferences around specific products. For example, ask customers to set preferences for products and services — aka create a ‘consent to like’ service based on a customer’s identity. If done correctly, as an ‘active consent’ you should cover the GDPR requirements which stipulates that consent should be a “clear affirmative act” that is “freely given” and wording “clear” and “concise”. You also need to be able to “demonstrate that the data subject has given consent to the processing operation.” A CIAM system should allow you to provide an audit of consents taken and revoked. This could be using a traditional audit event mechanism or blockchain based consent receipts.Processing health data, consent and de-identificationThere are a lot of patient-generated health initiatives happening at present. For example, the UK government has opened the Digital health technology catalyst 2017 fund to explore digital healthcare technologies. Drivers such as the popularity of health wearables are making the availability of patient-generated health data a reality. A CIAM verified identity associated with these data is a pivot for the controlled and secure sharing of health data between patient and caregiver. However, health data is deemed ‘special data’ under GDPR ruling. What this means in practice is that if you process health data you need to obtain a more stringent version of the consent used for personal, non-health data, and you must explain in detail what the data is used for. Again, as in the marketing consent model, certain technologies used as an adjunct to a CIAM system can help with this.One other method of reducing the overhead of GDPR compliance of health data is to use de-identification techniques. Again, a CIAM system designed specifically to manage customer data, and based on an extensible API model, should be able to use the techniques.The devil in the detail of GDPRCustomer IAM is a rapidly expanding technology that can solve a lot of online identity and Know Your Customer (KYC) issues. The Forrester Wave™: Customer Identity and Access Management, Q2 2017 states that 81% of enterprises are planning to implement or expand the use of CIAM systems.Securing personal data in the new regulatory environment can be complex, requiring personnel changes, data systems redesign, and even rethinking corporate networks in light of GDPR. Using a customer-facing identity management system, specifically designed for your customers, can go a long way towards reducing this complexity, giving you options and control over your data collection and processing. In doing so, it also gives you the tools to manage the expectations of not just GDPR, but other data protection regulations, such as HIPAA too. Like lots of other things in life and technology, the devil is in the details. Customer Identity Access Management systems need to be built to deliver the detail. Related content feature 4 authentication use cases: Which protocol to use? Choosing the wrong authentication protocol could undermine security and limit future expansion. These are the recommended protocols for common use cases. By Susan Morrow Dec 05, 2019 6 mins Authentication Identity Management Solutions Security opinion Deepfakes and synthetic identity: More reasons to worry about identity theft How can we maintain control over digital identity In a world where it is being blurred and abused by fraudsters? By Susan Morrow Oct 02, 2019 6 mins Authentication Fraud Identity Management Solutions opinion Is the digital identity layer missing or just misplaced? The orchestration of existing services and data could provide a digital identity layer that gives the internet a common way to handle identity for all consumers. By Susan Morrow Jun 28, 2019 6 mins Authentication Identity Management Solutions Security opinion Can the re-use of identity data be a silver bullet for industry? The ability to re-use identity data for individuals across different systems would greatly simplify authentication. Here's what it would take to make it happen. By Susan Morrow May 24, 2019 6 mins Authentication Identity Management Solutions Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe