Identity data in the world of GDPR

If you wake up in a cold sweat in the middle of the night with the letters GDPR floating just above your bed, then fear not — Customer Identity Access Management (CIAM) is your knight in shining armor.

I don’t need to tell those of you working with personal data that the GDPR is nuanced and the language can be complex. Although it may be a veritable minefield, it is meant to do good. One of the opening statements of the final version of the GDPR is:

“The processing of personal data should be designed to serve mankind.“

That is quite a bold and ambitious statement.

In turn, it needs a bold and ambitious reply. To this end, I am proposing that using a Customer Identity Access Management (CIAM) can have much of the elements needed to meet GDPR compliance when dealing with a person’s data. It’s how you use it that counts.

When good CIAM meets the GDPR

Let’s look at some of the areas of the GDPR and where CIAM can meet the requirement when dealing with personal and more ‘special’ data:

Collection of identity data and data minimization: A digital identity is a very useful thing. If you can prove who you are to an online service, likely that service will feel pretty good about giving you access to some resource or other. During registration, normally, you give your personal details such as name, address, even date of birth. It is very difficult to get away from some variant of personal data collection to create a digital ID. However, you do have options to minimize its use:

1. During registration: The service collects the data only to verify the user against other data sources while in that session, but does not retain the data. Instead, the system sets that person as being verified at a given time – you can still do ad-hoc periodic checks in the same manner if needs be. Blockchain or traditional database technology can be used to store assurance levels against time.
2. During access: If you do collect and store data, the user need not reveal the full extent of this information to the service. For example, they can show they are over or under a certain age without revealing their date of birth or live in a certain locality without revealing their full address.

Consenting to use data for marketing

OK, so some companies really need to have information and can’t avoid it. If I buy something on Amazon, it kind of helps to have my postal address. But these are some considerations within marketing that a CIAM system should offer:

1. Minimize data: If you don’t really need it, don’t collect it. Often marketing is targeted at a specific audience, rather than individual. You can get as much data to market, knowing an individual lives in or near a certain city, as you can from their address. Or the fact they are over 21 rather than their full date of birth. Setup the service to only receive the minimum of information needed.
2. Consent to target – active consenting: The best person to market to, is those that are already engaged. A CIAM system can be designed to not only verify a person’s identity but to also actively engage them with your organization. If the CIAM system has been designed as truly customer-centric, it will be built with an intrinsic consent model system. You can extend this to take preferences around specific products. For example, ask customers to set preferences for products and services — aka create a ‘consent to like’ service based on a customer’s identity. If done correctly, as an ‘active consent’ you should cover the GDPR requirements which stipulates that consent should be a “clear affirmative act” that is “freely given” and wording “clear” and “concise”. You also need to be able to “demonstrate that the data subject has given consent to the processing operation.” A CIAM system should allow you to provide an audit of consents taken and revoked. This could be using a traditional audit event mechanism or blockchain based consent receipts.

Processing health data, consent and de-identification

There are a lot of patient-generated health initiatives happening at present. For example, the UK government has opened the Digital health technology catalyst 2017 fund to explore digital healthcare technologies. Drivers such as the popularity of health wearables are making the availability of patient-generated health data a reality. A CIAM verified identity associated with these data is a pivot for the controlled and secure sharing of health data between patient and caregiver. However, health data is deemed ‘special data’ under GDPR ruling. What this means in practice is that if you process health data you need to obtain a more stringent version of the consent used for personal, non-health data, and you must explain in detail what the data is used for. Again, as in the marketing consent model, certain technologies used as an adjunct to a CIAM system can help with this.

One other method of reducing the overhead of GDPR compliance of health data is to use de-identification techniques. Again, a CIAM system designed specifically to manage customer data, and based on an extensible API model, should be able to use the techniques.

The devil in the detail of GDPR

Customer IAM is a rapidly expanding technology that can solve a lot of online identity and Know Your Customer (KYC) issues. The Forrester Wave™: Customer Identity and Access Management, Q2 2017 states that 81% of enterprises are planning to implement or expand the use of CIAM systems.

Securing personal data in the new regulatory environment can be complex, requiring personnel changes, data systems redesign, and even rethinking corporate networks in light of GDPR. Using a customer-facing identity management system, specifically designed for your customers, can go a long way towards reducing this complexity, giving you options and control over your data collection and processing. In doing so, it also gives you the tools to manage the expectations of not just GDPR, but other data protection regulations, such as HIPAA too. Like lots of other things in life and technology, the devil is in the details. Customer Identity Access Management systems need to be built to deliver the detail.