Why privacy needs to remain at the forefront of identity and access management. Credit: ValeryBrozhinsky / Getty Data privacy has made big headlines in the last 12 months. Wherever we look there is an article about a data breach, a data protection regulation update, or a colleague talking about data privacy. It may have all become too much, and we have to ask ourselves, “Have we reached ‘peak privacy’?”In the identity space, data privacy was never really a consideration until we entered the realms of the consumer. In enterprise identity and access management (IAM), although we rarely, if ever, mentioned privacy despite the fact we were using employees’ personal data. When the enterprise perimeter earthquake happened, and we moved our IAM services to cover consumers and citizens, data privacy started to enter the industry parlance.Why it is important to not become jaded about privacyData breaches and privacy violations can almost be thought of as a kind of ‘digital trauma’. When I heard about the Collective #1 data breach that exposed 773 million data records, I thought, “Oh no, not again.” I searched HaveIBeenPwned and sure enough, my email address showed I was part of the data breach, but I didn’t feel worried, as I should be, because I have become desensitized.Desensitization is a common issue among people who experience trauma. For example, teenagers who are subjected to real-life violence become less affected by acts of violence than their counterparts who have not been exposed. If you experience something over and over, you do get used to it happening. That does not, however, mean that it should be tolerated. As I write, there will be continued breaches that affect our personal data. The EU’s General Data Protection Regulation (GDPR) helps to focus the minds of organization leaders, but it does not stop cybercriminals trying to steal our personal data. Since the GDPR come into effect, Law firm, DLA Piper have recorded, 59,000 personal data breaches across Europe.As custodians and processors of personal data, we can’t just turn a blind eye to privacy. It hurts our businesses as much as it hurts the customer who forgoes privacy. A report by Privitar said that 90 percent of consumers are concerned that technological advancements are a risk to data privacy. Tech and privacy: A good double act in IAM?IAM platforms have needed to innovate to keep up with the tidal wave of personal data and to improve customer experience. Data is an incredibly useful commodity that can be used to do online jobs, including the digitization of onboarding processes. Privacy, as seen through the lens of the IAM technology stack, should be intrinsic across a platform.What does that mean in practical terms? Can we have our privacy cake and eat it, too?Privacy peak 1: Great UI/UX can facilitate good data privacyThe touchpoint between the identity management backend and the user is where the data privacy choice begins. It is also where your relationship with the customer begins. Privacy is an intrinsic part of trust, which is a relationship-building tool. Your UX should guide your customers down a pathway that distills privacy for them. The UI should reflect the data processing you do in a simple way. If you do this, you start on a pathway to trust by being privacy respectful.Privacy peak 2: Deliver what you promiseIf you tell users you won’t use their data for X or Y, then don’t. If you tell users you will use their data to give them a better service, do so. This type of basic thinking has to be part of the design process at the beginning of building a service. If you have to retro-fit it, it is harder to do but not impossible. Using identity API-based service architecture can help to facilitate the addition of missing features that enhance privacy.Privacy peak 3: Consent is fluidConsent management comes in many forms. You should have already taken consent when you first touched the customer’s data. However, consent is fluid. People change their minds. Build consent for data privacy control into the system, end to end. This can be included in transaction consent – OAuth 2.0 and UMA are example protocols for achieving this.Consent management can also be included in the user’s account manager. Consumer IAM vendors are now beginning to add in the ability to manage consents across services. Even the blockchain can add value here. Used as a layer for consent transaction receipt and audit, it offers an immutable way to show that you have taken the consent requirements of the GDPR seriously. Privacy peak 4: Technology is the friend of privacyPrivacy is about individual choice, but data privacy is augmented and enforced using technology solutions. Always use the best possible security solutions to enforce the privacy choices of your customers. Make these as seamless as possible. This can be a challenge in certain customer-facing areas, like authentication, but the world of authentication is starting to offer solutions to the conundrum of usability vs. security. Other areas like data in transit and at rest should be secured, by design, in any system that moves personal data, in all of its forms, around.Let’s make data privacy month data privacy by defaultData Privacy Day has now become Data Privacy Month, which runs until February 28. As custodians of people’s data, we should never, ever be desensitized or complacent about data privacy. Data privacy holds the key to the relationship we need to build between our service and our customer. Privacy is not about hiding data, it is about using it with due respect to the person that data represents. When you next set out an RFP for an identity service, make sure you add a requirement that asks for privacy by default. Related content feature 4 authentication use cases: Which protocol to use? Choosing the wrong authentication protocol could undermine security and limit future expansion. These are the recommended protocols for common use cases. By Susan Morrow Dec 05, 2019 6 mins Authentication Identity Management Solutions Security opinion Deepfakes and synthetic identity: More reasons to worry about identity theft How can we maintain control over digital identity In a world where it is being blurred and abused by fraudsters? By Susan Morrow Oct 02, 2019 6 mins Authentication Fraud Identity Management Solutions opinion Is the digital identity layer missing or just misplaced? The orchestration of existing services and data could provide a digital identity layer that gives the internet a common way to handle identity for all consumers. By Susan Morrow Jun 28, 2019 6 mins Authentication Identity Management Solutions Security opinion Can the re-use of identity data be a silver bullet for industry? The ability to re-use identity data for individuals across different systems would greatly simplify authentication. Here's what it would take to make it happen. By Susan Morrow May 24, 2019 6 mins Authentication Identity Management Solutions Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe