Data Management, Privacy & Security Done Right

  • TYPE: Combined Session DATE: Wednesday, May 15, 2019 TIME: 11:00-12:00 LOCATION: AMMERSEE I


Due to the requirements in GDPR, IAM professionals can no longer accept to use production data in development and test environments, which has been a common practice for many years. The presentation will focus on the GDPR requirements regarding anonymization or pseudonymization of production data, and discuss why this is almost impossible to do in IAM projects. Testing IAM solutions and cleaning data is an integral part of the presentation.

Key takeaways:

What you are doing today is properly not GDPR compliant
You will understand the complexity in testing IAM solutions
You will understand some of the possible safeguards


Claus is a member of the cybersecurity unit at PwC Denmark, where he heads the Identity and Access management team working with IAM from strategy through execution. Claus is a senior IT professional with many year' experience from complex IAM projects in large organisations. He works as an IAM...

Privacy has become a global concern, with regulations such as GDPR coming into effect. In this context, e-commerce businesses that operate globally cannot simply adopt data protection regulations of a single country/region. Supporting each and every regulation as they emerge is challenging and greatly increases the maintenance cost. Furthermore, these kinds of regular modifications can lead to poor customer experiences.
Leveraging well-known privacy by design principles into your system design strategy is a long-term and sustainable solution for most of these privacy challenges. Once these principles are adopted, it is possible to achieve each individual privacy regulation compliance easily with minimum time and effort. This talk introduces a number of well-known privacy by design principles and explores how they implemented in real world scenarios. This talk also highlights the benefits of each of these principles with potential implications.

In the context of a high-level system architecture, separating personal and security data from other business and operational data is one of the core principles. The responsibility of managing personal and security data can be delegated to a specific module or dedicated IAM solution, as other components request for personal data in an on-demand and transient manner - usually through standard security tokens such as OpenID Connect, SAML or JWT token.

Once personal and security data are isolated from other systems, it is possible apply set of security and privacy best practices. These include data minimization when capturing and storing data, data anonymization when storing, pseudonymization during strong, the use of a system-generated ID during data sharing, encryption before storing, and storing hashes instead of the original value.

Design and providing a user-centric experience are also key design principles. For example, all data processing activities have to be transparent for users and they need to be informed of these activities. Usually these activities require clear and active consent from users. Systems should facilitate to review and revoke previously given consent. Systems should also provide means to modify or remove user profiles by themselves. The adoption of strong and adaptive authentication mechanisms, use of up-to-date cryptographic algorithms, and libraries also help to improve end-to-end security of the system.

Key takeaways:

- Why you should invest and focus more on Privacy By Design (PbD) than individual privacy standards
- Assess the impact of each Privacy By Design (PbD) principle
- Learn proven industry level best practices to embody Privacy By Design (PbD) principles into your system design


Sagara Gunathunga is a Director at WSO2 and part of the team that spearheads WSO2’s architecture efforts related to Identity and Access Management (IAM). Sagara has spoken on GDPR and privacy at workshops across the EU and WSO2Con in Europe, USA, and Asia. He will also deliver a...

Beyond a mere equation between risk appetite, compliance and costs, cybersecurity is becoming a matter of good corporate governance, good ethics, and quite simply – good business. The Board, which is ultimately accountable for cyber resilience, must own it and drive it as a key pillar of any firm Environmental, Social and Governance (ESG) strategy


Log in to download presentations:  


Session Links

Munich, Germany


European Identity & Cloud Conference 2019

Registration fee:
€2100.00 $2625.00 S$3360.00 23100.00 kr
Mastercard Visa American Express PayPal INVOICE
Contact person:

Mr. Levent Kara
+49 211 23707710
  • May 14 - 17, 2019 Munich, Germany