GDPR is coming in Hot. Top Burning Questions Answered to Help You Keep Your Cool

© 2017 ForgeRock. All rights reserved.

GDPR Is Coming In Hot: Top Burning Questions Answered To Help You Keep Your Cool

Eve Maler @xmlgrrlVP Innovation & Emerging Technology, ForgeRock

Sean Doherty @SeanD0hertyAnalyst, Workforce Productivity &

Compliance Channel, 451 Research

July 25, 2017


Eve Maler @xmlgrrlVP Innovation & Emerging Technology, ForgeRock

Sean Doherty @SeanD0hertyAnalyst, Workforce Productivity &

Compliance Channel, 451 Research

451 Research is an information technology research & advisory companyFoundedin2000

300+employees,includingover100analysts

1,000+clients:Technology&Serviceproviders,corporateadvisory,finance,professionalservices,andITdecisionmakers

50,000+seniorITprofessionalsinourresearchcommunity

Over52milliondatapointseachquarter

4,500+reportspublishedeachyearcovering2,000+innovativetechnology&serviceproviders

451ResearchanditssistercompanyUptimeInstitutecomprisethetwodivisionsofThe451Group

HeadquarteredinNewYorkCitywithofficesinLondon,Boston,SanFrancisco,WashingtonD.C.,Mexico,CostaRica,Brazil,Spain,U.A.E.,Russia,Taiwan,Singapore,andMalaysia

Research&Data

AdvisoryServices

Events

GDPR: when and where?• EffectiveandenforcedonMay25,2018,replacingthe1998DataProtectionDirective(95/46/EC).

• TheregulationrequiresmembercountriestofollowandenforcetheGDPRwithoutpassinglocallegislation.

• Theregulationappliesto:1. TheprocessingofpersonaldatafromtheactivitiesofanestablishmentofacontrollerorprocessorintheEU;

or2. AcontrollerorprocessornotestablishedintheEU,wherepersonaldatacollectionandprocessingisrelatedto

theofferingofgoodsorservicestodatasubjectsintheEUortheprocessingmonitorsdatasubjectsbehaviorintheEU.

GDPR definitionsPersonaldatameansanyinformationrelatingtoanidentifiablenaturalperson(datasubject),i.e.,onethatcanbeidentified,directlyorindirectly,fromaname,identificationnumber,locationdata,onlineidentifierorotherfactorsspecifictophysical,genetic,economic,orsocialidentityofthedatasubject.Art.4(1).

Processing meansanyoperationperformedonpersonaldata,suchascollection,recording,organizing,andstoring.Art.4(2).

Acontroller isapersonororganizationthatdeterminesthepurposesandmeansofprocessingpersonaldata.Art.4(7).

Aprocessor isapersonororganizationthatprocessespersonaldataonbehalfofacontroller.Art.4(8).

5

GDPR effect: not a butterfly but a beeViolationsoftheGDPRcancostupto€20minfinesorupto4%ofacontroller’sorprocessor’spreviousyear’sworldwiderevenue.

Requiresdatacontrollersandprocessorstohireadataprotectionofficerforregularandsystematicmonitoringofdatasubjectsonalargescale.

Mandatorydatabreachnotificationstodatasubjectswithin72hoursofthebreach.

GivesEUresidentsmorecontroloftheirpersonaldata• Prohibitdataprocessingbeyonditsspecifiedpurpose.• Therighttocorrect(rectify)anddelete(erasure)orbeforgotten.• Withdrawconsenttodataprocessing.

DatasubjectsandnonprofitorganizationsonbehalfofdatasubjectscanbringactionsdirectlyagainstdatacontrollersandprocessorsforGDPRviolations.

6

© Teguh Mujiono


The EU General Data Protection Regulation: It’s different this time

• Firm deadline, big penalties, high aspirations…and viral

• “Data protection” encompasses a wide variety of data transparency and data control requirements

© 2017 ForgeRock. All rights reserved.https://www.flickr.com/photos/adpowers/16808090/|CCBY2.0

Take steps

Identify intersectionsbetween digital transformation opportunities and user trust risks

Conceive of personal data as a joint asset

Lean in to consent

Take advantage of identity and access management for building trust


We asked what you wanted to know –and you let us have it

https://www.flickr.com/photos/infomastern/11459954985/|CCBY-SA2.0


My company interacts with end-users directly and holds user account data. When sending such data from Australia to, say, the US, what regulation applies:

Australia, US, EU...?

Q1


What is the relation of Privacy Shield to GDPR?

Q2


Does GDPR require that I store data about my customers in the country it

was collected in?

How does it work in the ForgeRock Identity Platform to store identity profile data within a specific region?

Q3b

Q3a


The ForgeRock Identity Platform

DIRECTORY SERVICES

ACCESS MANAGEMENT IDENTITY MANAGEMENT IDENTITY GATEWAYCOMMON SERVICES

IDM IG

DS

AM

Authentication Authorization Provisioning Reconciliation Authentication OIDC/OAuth

Federation

Adaptive Risk Stateless & Stateful

UMA Provider Mobile App

User Self Service Workflow Engine

Registration Single View of Customer

Synchronization Password Management

Password Replay SAML

Token Transformation

UMA Protector

API Security Throttling

Common Scripting

Common Audit/Logging

Common User Interface

Common REST APILDAPv3

Replication

REST/JSON

Access Control

Schema Management

Caching

Auditing

Monitoring

Groups

Password Policy

AD Pass Through

Reporting

CS


Data sovereignty and fractional replication

Global User Profile(has all user attributes)

• Contains subsetof complete user profile

• Fractionalreplication within each jurisdiction


If a US employee of my organization uses a VPN connection back to the home office while in another

office that’s located in the EU, what regulation applies: US, EU…?

Q4


What do data encryption techniques have to do with GDPR?

How does it work in the ForgeRock Identity Platform to encrypt and protect identity attributes?

Q5b

Q5a


DIRECTORY SERVICES

Many layers of protection for personal data

ACCESS MANAGEMENT IDENTITY MANAGEMENT IDENTITY GATEWAYCOMMON SERVICES

IDM IG

DS

AM

CS

• On-disk encryption of data and indexes• Access controls to prevent unauthorized users from reading data• Encrypted backups

• Tamper-proofed audit logging, depending on the “sink” chosen

• Logging only of the user identifier, not of profile content

• Token proof of possession available to ensure the bearer is the rightful owner

• Signing and encryption for JWTs, id_tokens, SAML assertions, UserInfo responses

• Contextual authorization

• Encryption of credentials and profile attributes

• Encryption or hashing of data during synchronization

• Contextual authorization• Message header

encryption


Does an individual have a “right to update” data?

Q6


If my organization has shared end-user data with a third party, and our end-user asks for it to be deleted,

whose responsibility is it to delete it?

Q7


When does GDPR say I have to go back to an end-user and ask for their

consent to process their data again after collecting it a first time?

When is it possible to ask for an end-user’s consent using the ForgeRock Identity Platform?

Q8b

Q8a


Moments of consent

Registration time Authentication time Access approval (asynchronous)


I’ve heard my organization will have to change all of our consent collection

practices because of GDPR – is that true?

What consent lifecycle management capabilities does the ForgeRock Identity Platform have?

Q9b

Q9a


Single view of the consumer

Giving the consumer a single view of their consents

Giving the consumer control over their consents

● Lifecycle management of a user profile and their data sharing preferences

● Secure storage of profile data

● Anonymized syncing of profile data and connector-based integration to third-party systems

● Terms of service and privacy policy capture

● Social sign-in● Social registration● Social consent

management

● Interoperable, user-driven, proactive and reactive sharing flows

The holistic view of consent lifecycle management


Patient selectively sharing IoT health data with doctors and other caregivers with User-Managed Access (UMA)

Patient view Doctor view


Granular consented access by accountant to bank customer’s account data and transactions

25


What does GDPR say about parental consent, and what is the age of

majority?

What are the capabilities of the ForgeRock Identity Platform regarding parental consent?

Q10b

Q10a


Typical parent/child account relationship and capabilitiesParent/Guardian Account

• Can self-register• Can create and

manage age-constrained accounts

• Full schema and permissions

• Access approval options, e.g. through UMA constrained delegation

Child Account

• Not allowed to self-register

• Jurisdictionally defined age-constrained account

• Limited schema and permissions


We’d like to show you what we’ve got

cooking

https://www.flickr.com/photos/carree/2502801336/|CCBY-ND2.0


Profile and Privacy Management Dashboard: It’s all about self-service for…• The right to be informed• The right of access• The right to rectification• The right to erasure• The right to restrict processing• The right to data portability• The right to object• Convenient and centralized data

protection, transparency, and control

demo


Thank You!Questions?Eve Maler

VP Innovation & Emerging Technology, ForgeRock@xmlgrrl

Sean DohertyAnalyst, Workforce

Productivity & Compliance Channel, 451 Research

@SeanD0herty


summits.forgerock.com