CIAM Standards Best Practice

  • TYPE: Combined Session DATE: Thursday, May 17, 2018 TIME: 12:00-13:00 LOCATION: AMMERSEE I


IAM is a cornerstone in GDPR implementations, but both GDPR and IAM implementations are far from easy. Together, they are even more complex. In order to reap the benefits, you need to overlay two projects: building your IAM and creating your compliance program. These projects are very different in nature and owned by essentially very different people – legal and security, and may already in the beginning lack a common language.

In a successful cross-professional GDPR+IAM project, you need to understand how law and technology interplay in your organisation. In general, GDPR compliance has a nexus of touchpoints with IAM, but it needs to be supported by appropriate processes and documentation to be considered as a GDPR compliance measure by lawyers. Statutory security is not an easy read in the GDPR. Many of the documentation and process requirements contain essentially the same information as conventional access management, log and information security policies, but now with more content from GDPR, and aligned from a data privacy perspective.

Data protection requirements are more prominently present in CIAM implementations in the consumer market, because in addition to identity and access, they serve the core of the GDPR – i.e. efficiently manage personal data in a manner that overlaps data subject rights. In essence, CIAM implementation and architecture may provide companies great advantages in satisfying novel functional requirements of the GDPR, such as data portability.

Key Takeaways:

  • Overview of cross-professional work in IAM implementations from a GDPR standpoint
  • Understand the documentation and processes implied by GDPR in identity and access management context
  • What GDPR considerations to keep in mind in CIAM implementations


1. Introduction- why do we need a KYC process 

  • how we can prevent the breach, describe KYC process, quickly describe KYC process in regulatory and non-regulatory services, 
  • downside of manual KYC processes (insecure method of authentication, storing personal data)

2. How the KYC process can be automated

  • different ways of the automated KYC processes
  • security features of the automated KYC process

3. How the personal data is protected in the light of GDPR

  • legal requirements with regard to data processing (lawfulness, TOM, rights of users, DPO)
  • pseudonymisation and anonymisation data- problem with hashing and current legislation (personal data)
  • how automatic KYC process has to meet the requirements of GDPR

Key takeaways:

  • Pseudonymisation as a security measure
  • Hashing problem 


Katarzyna Kazimierczak is COO at Authenteq, an automatic identity verification, and privacy platform, that issues a blockchain, self-owned and controlled digital ID. Katarzyna has lived and worked in five countries and acquired over 10 years of experience dealing with legal, financial and...

eIDAS is identity federation within a trust framework on an unprecedented scale. In 2018 member states of the European Union will be required to recognise the eID's of other member states under the eIDAS Regulation. Connectis is leading the transition towards a Digital Single Market through various successful projects, co-financed by the European Union's Connecting Europe Facility.

Connectis already aided around 100 Dutch municipalities open up hundreds of services to citizens from other EU countries in an eIDAS-sustainable way. This experience provides lots of success stories, but also many lessons learned and the foresight of several hurdles ahead that we need to take, both on local, national and international levels.

Key Takeaways:

  • eIDAS is already happening - don't wait, get started!
  • Identity Federation requires expert knowledge and complex infrastructures - eIDAS is Identity Federation on an unprecedented scale.
  • Many (other) parties and roles are involved and many more need to be recognised and adhered to to get involved.
  • Hands-on experience is needed to evolve and mature this trust framework and its operations.
  • There's some serious hurdles ahead that we need to deal with collaboratively.
  • The good news is: it already works!


Esther Makaay is a digital identities professional. Her role is proposition development – identifying partners, getting pilots and projects started – for log-in solutions provider Connectis and for .nl registry SIDN . Specialist fields include trust frameworks, digital identities...

Log in to download presentations:  


Session Links

Munich, Germany


European Identity & Cloud Conference 2018

Registration fee:
€1980.00 $2475.00 S$3168.00 21780.00 kr
Mastercard Visa American Express PayPal INVOICE
Contact person:

Mr. Levent Kara
+49 211 23707710
  • May 15 - 18, 2018 Munich, Germany