Consumer identity and access management solutions are bringing value to the organizations which implement them, in terms of higher numbers of successful registrations, customer profiling, authentication variety, identity analytics, and marketing insights.  Many companies with deployed CIAM solutions are increasing revenue and brand loyalty.  Consumers themselves have better experiences interacting with companies that have mature CIAM technologies.  CIAM is a rapidly growing market segment.

CIAM systems typically collect (or at least attempt to collect) the following attributes about consumers:  Name, email address, association with one or more social network accounts, age, gender, and location.  Depending on the service provider, CIAM products may also pick up data such as search queries, items purchased, items browsed, and likes and preferences from social networks.  Wearable technology vendors may collect locations, physical activities, and health-related statistics, and this data may be linked to consumers’ online identities in multiple CIAM implementations.  To reduce fraud and unobtrusively increase the users’ authentication assurance levels, some companies may also acquire users’ IP addresses, device information, and location history. 

Without the EU user’s explicit consent, all of this data collection will violate the EU’s General Data Protection Regulation (GDPR) in May of 2018.  Penalties for violation can be up to €20M or 4% of global revenue, whichever is higher.

Consider a few definitions from the GDPR:

(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

(4) ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

(4) ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

(5) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

This means that companies that are currently deriving benefit from CIAM must:

  1. Perform a privacy data assessment
  2. Create new privacy policies as needed
  3. Plan to clean and minimize user data already resident in systems
  4. Implement the consent gathering mechanisms within their CIAM solutions

If your deployed CIAM solution is not yet fully GDPR compliant, talk with your vendor about their product roadmaps.  Find out when they will release a GDPR compliant version, and determine how to work that into your own release schedule. 

If your organization is considering deploying CIAM in the near future, make sure that GDPR compliant consent mechanisms and storage schemes are on your RFP requirements list.

This article is not intended to provide detailed technical or legal advice.  For more information, see the full text of GDPR at the link above, and visit www.kuppingercole.com. Over the next few months, we will examine other aspects of GDPR and what it entails for business, IAM, and IT infrastructure.