Webinar Recording
Managing the User's Consent Life Cycle: Challenges, GDPR Compliance and (Business) Rewards
A core requirement coming up with GDPR is that parties processing personally identifiable information need to ask the user for his/her consent to do so and let the user revoke that consent any time and as easy as it was given. Keeping an audit able trail of consent, scope of use and revocation during the whole customer identity life cycle is a significant requirement not covered by traditional Identity & Access Management (IAM) solutions. In this webinar, we have a look at what makes the difference between employee focused IAM and Customer focused IAM (CIAM) and what a CIAM solution needs to provide in order to help your organization mastering the GDPR (and PSD2) challenges.
Log in and watch the full video!
Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.
I have an account
Log inRegister your account to start 30 days of free trial access
RegisterSubscribe to become a client
Choose a package
Good afternoon, ladies and gentlemen, welcome to our KuppingerCole webinar, managing the user's consent lifecycle challenges, GDPR compliance and business rewards. This webinar is supported by welcome. The speakers today are me Martin Kuppinger I'm CEO, founder, and principal Analyst at KuppingerCole and carne fro was vice president product and strategic alliances at I welcome before we start some general information about Cola and some housekeeping information Cola is an Analyst company. We were founded back in 2004, providing neutral advice expertise, so leadership and practical relevance focused on areas in particular information, security, identity, and access management governance, but also a lot of other areas concerning digital transformation. So our roots, so to speak are in identity and information security, but we cover increasing number of other topics around our services include a couple of business areas. So we do research such as our leadership compass documents, which compare vendors in a certain they're offering to certain market segment, but also how two guys, advisory notes and a lot of other stuff we do events.
So we do, and I'll talk about this in a minute, including our webinars, but also a couple of onsite events. And we do advisory where we act as a mutual partner on providing independent advice. For instance, selecting products and building strategies, defining roadmaps cetera from events perspective, there are two important upcoming events. In fact, one series of events and one other went. So the closest one is European identity in cloud conference, which will be held in May 9th to 12th in Munich. It's the 11th edition of this conference and it's sort of the master 10 conference around ID security and related topics in Europe. And then in the August to November timeframe, we will do our consumer identity work to with three locations, which are Singapore, Seattle, and Paris. That's it from sort of the information about keeping a call and the upcoming events regarding the webinar.
You are muted centrally, so you don't have to mute around mute yourself. We will record a webinar and the recording will be available latest by tomorrow. And there will be a Q and a session at the end, but you can end the questions at any time using the questions feature in the go to webinar control panel. That's the control panel, which is usually at the right side of your screen. The more questions we have, the more likely the Q and a session will be. So don't hesitate to enter your questions right now. Let's look at the agenda as usually it'll be split into three parts. In the first part, I will talk about how to include a compliant and business oriented cm. So consumer or customer identity, access management strategy into your identity and access management program. But I also will look at some aspects around the driver.
So the GDPR and PST two driver, some organizational aspects, etcetera. And the second part in Corona, we'll talk about the different needs of GDPR and PST two. And he will talk about a step by step approach to implement the lifecycle management focused cm into your enterprise infrastructure consent and how to deal with consent will become one of the most interesting, fascinating challenges in that space. Okay. So let's move from here. I wanna start a little bit high level with the digital transformation, because at the end, a lot of what we are seeing here, particularly around consumer identity management is really driven by the digital transformation and the digital transformation. Yes, the password of the year, not only of this year, it's a password to some extent. On the other hand, it is really describes a fundamental change in the way we do businesses. So there are a couple of external drivers.
So amongst these external drivers, we see a change in competitive landscape. If you look at automotive vendors where Tesla right now is a challenger to traditional automotive vendors, if you look at the changes in banks, I'll touch us later on in the context of PST two and many other businesses, the competition is changing, which means you need to be more innovative. You, we see a lot of business models, also changing from a product to a service business model. So use the car whenever you need it, but don't buy the car anymore. Everything becomes connected. And then we have this area of ever increasing attacks on 100, the ever changing regulations on the other side. So we have more, more regulations. And some of these regulations will massively affect how we deal with customers and consumers in the future partnerships and so on. So organizations need to be more agile, more innovative, more flexible, and we will touch this organizational aspect.
Then when we talk about where does consumer identity management really belong? So there are some key topics. If you're manufacturing organization, clearly it's smart manufacturing, it's the internet of things and it's in particular. So to speak, know your customer, but not only in the regulatory sense, but also in a sense of know, as much as you can about your customer serve the customer perfectly well. So there are various technologies we need to look at. And if you look at these technologies, yes, there's blockchain, there's cognitive and AI, there are sensors, but there's some particular identity. So understanding the identity of your customers, understanding the identity of things, understanding which things devices are associated with such customer. And then on the other hand, more on the lefthand side of that picture, the security and privacy. So we have this change, which is one fundamental evolution we are facing to today.
The other is that we also see a change in many industry regard industries regarding regulatory burden and used to the finance industry because the finance industry clearly is the ones which was most under pressure. So back in the year, 2008, 2009 was the financial crisis. A lot of regulations were say introduced or massively tightened was first. Our additions made over time. Next year space three affecting the, the capital side of banks became effective a little later. Then we had in 2015, for instance, in Germany, the it security law becoming effective, which looks at a critical industries and finance amongst many other industries is considered being a critically critical industry. And the cost of compliance, the total cost of compliance was growing and continues to grow. And right now in the, within the next 14 months, we will have two other important regulations in the EU becoming effective.
One is PST two and the other C U GDPR. So PST two is the payment service to revise premium services directive. So this PSD two, the second one and the other, the huge GDPR is the general data protection regulation. And they will lead to an ever increasing cost of compliance. And we will have changes in that space. And what we also should think about when we look at all this, it's not only what does it mean as a burden, but which is the common approach, follow the regulator, follow the auditor, but also look at how could we, how could we change sort of the game here in, in the sense of on one hand, there's the cost, it's the competitiveness. There seems to be no benefit, but isn't there is there really no benefit or can we create such benefit? That's where I will end up then with my presentation.
So this is the sort of the scenario we are in and GDPR, as I've said, one of these regulations. So until now, so before GDPR, every U member state has its own data protection laws with GDPR, we have an U rule, which is binding and which is accompanying national laws. So the point in fact is if it's called a regulation or directive, so directive says you have to do it, your legal law in your local law regulation over rules, the local law, there might be some exemptions, but basically that's sort of the difference. And it's even a little less than 435 days to go right now until it becomes effective. And one of the most important things in there is what I have on the, at the upward, at the lower side of the, the right hand side, it binds businesses established outside the EU to the European standards when they are operating in the EU or the related economic region, which in fact means simply said, if you want to do business with EU resident people, the GDPR applies.
Even if you're based in the us, even if you're based on Asia or somewhere else, this is I think a very important thing. And so when we look at this, for some reason, my PowerPoint chose it again, there are some key aspects to understand about a GDPR. So one of the most important ones is unless another legal basis in place written contract fact consent is required prior to processing personal data. You need consent. And this, this is the big change in the combination has to be freely given, informed and ambiguous. And it needs to consist of clear statements of affirmative action. So saying, oh, I use a cookie and I might do with your data. Whatever I want is not sufficient anymore. It's explicit informed, and it's per purpose, which might be revoked again. So you can't say I collect the data under the later point of time, you say, okay, I used for something totally different.
It's really about saying, I need content per purpose. And if I add a purpose, I need to get the content for this new purpose, which is a very fundamental change then, okay, you need data protection officers, which can be external. There might be scenarios, or there are certain scenarios where you need to run additional data protection, impact assessments. For instance, if you are super supervising public places, et cetera, or dealing with sales data, interesting data breach notification within 72 hours, which is a short period of time. And you need to be prepared for that massive data control rights. So the right to be forgotten the right to freeze data processing of your data. So I can come and say, okay, for now, you're not allowed to use my data. I might request the data to be exported and edited. I have to write of data probability, even, which is interesting because if you look at the data models, unless you have an understanding of where is which part of the PII is stored, you will not be able to comply with these regulations. So if it's sprawled across a lot of systems and you don't have a clue where it really is, then you will be definitely challenged. Oh yeah. And you have to be privacy by default and design as a mandatory thing. So this sounds very massive and it can be very massive depending on where you are today. So how big is the real impact of that? I think it's easier if already, if there are already strong privacy regulations to more, you have to do today, the easier it is.
Do you have one purpose of your business or multiple ever changing purposes? So if you have changing purposes, you will have to ensure that you always have consent, a DPO in place, easy for Germany, where it's something you have to have in other countries far more difficult. There might be some country specific exemptions, which make it easier for you. But the challenge is if there are too, so sort of trying to weaken the, the, the GDPR too much, the European court of trust is most likely will not accept these. Are you technically able to support the requirements such as the right to be forgotten the consent purpose, etcetera, you need a platform which supports you. You need a data model, which supports us. So you really have to look at your, the way you work with PII, with customer data, et cetera. Then based on that, you might have identified that you have major requirements to change the way you handle PII.
Are your applications dealing with PII built according to the principles of security by design and privacy by design. So there are several aspects. And so if you're already as a good in dealing with privacy challenge will be less. If you're not as good, it will be bigger. What happens if you don't comply finances and sanctions up to 4% of the annual worldwide turnover of the group or 20 million Euro, whichever is greater. So where significant. And so there are various reasons to, to impose a, a fine, I don't want to go into detail that much, but we I'm absolutely sure that we shortly after the May 28th next year, we'll see a number of lawsuits starting around that, which is I think very, very logical because privacy is a very sensitive topic. And there are various parties which are interested in such lawsuits. So this is a very high level and very quick overview of GDPR. What about PST two? So PST two, it's another regulation, totally different. One PST two comes into play when it goes, when it's about payment services and it changes a lot of stuff around payment services.
It also means in many scenarios, you have to change the way you, you work with customers. So, and that's where I wanna come to. So there are basically two major technical requirements. One is strong customers, location, which in most cases with a couple of exemptions that you have to have a two-factor syndication place, unless it's less than 30 euros or an unattended payment machines. So like, like in the parking lot, etcetera, and you need to open APIs fact as interfaces for so-called AI piece and PI PSPS IPS are account information. Service providers, PSPS are payment initiation service providers. So these are in fact other parties, which are then able to do part of the business, which traditionally has been done maybe by a bank. So this, they are called serve party providers, these two, and they can access the target of EU. The explicit target of this regulation is to foster competition.
And as IPS and PSPS have less re burned by regulatory compliance. So they can in fact build the interface to the customer by saying, okay, I provide something which allows you to access all accounts at all of your financial institutions, or to run all your payments through my service, which is a challenge for an established bank, because it means they're someone which sort of tries to build a face to the customer. They might be more agile than established players and take an ever growing part of the business. It means banks in that case have to rethink the way that they lose customers. They need a totally different way to interface to customers. Basically, they're a little bit harsh. Maybe you can't ignore and die the situations, but then your customers are in your customers anymore. The TPPs will dictate your business model because they are the one who will bring the business or you get Moreira trial interface with either built interface to the customer, be the one who provides consumer identity and access management as part of that and dictate the business model.
So that also means that that your organization will change and you will have to create layers where you say, okay, you have traditional customers and traditional services, but you also will have new banking services and new types of customers. And you will have to operate in different speed around your core banking business. So with traditional applications on the top and the modern applications, sort of on the lower part of this picture, and that's where, where things like consumer identity and other stuff, and Corne will touch this more in his part come into play. And we have to be clear about consumer identities are totally different in the enterprise. No, not a total difference, but there in some areas, they are really different from enterprise identities. So for enterprise identities, you start with security for consumer identities. You start with convenience. If you're a bank, yes, your other focus will be security, but there are really different requirements here.
So for, to serve your customer well in the future, it's not about saying, this is the way to authentic. It's about saying I support everything, which is good enough if you want, because make it convenient to the customer. Think it, I think it authentication all the other stuff from the customer, not from your enterprise and management view. So what you need to, to, to, to be, to do, to be successful is you need to create trust. You may need to make it usable and success will be there. If you provide your alternatives to your customer. And one element that this is to shift from identity management, regional IM identity access management to consumer identity management, to a more modern, not only regulatory view, know your customer and know your customer better should be no serve your customer. So traditionally, we had this view on use lifecycle management, single sign on privilege management with consumer identity management.
The customer journey moves in the center to the center of the attention, the relationship management, who is part of a family, etcetera, the adaptive authentication, the one view in the customer, the customer data integration extremely important in the context of GDPR, all these things coming into play. So it's sort of, I am a scale plus customer experience. And when we then go one step first, or it's really the automated customer interaction, the analytics, but also the privacy and information protection, including the anti money laundering stuff. So it's even one step bigger moving there is not easy because there are so many involved parties, their sales, which traditionally owns the customer in marketing was the marketing automation. There's C it, which is the identity management. Oh yes. There might be the CDO or chief digital officer, chief digital business officer where organizations say, oh, the customer has a totally different role right now we must serve from differently.
And there are some other parties. So the website owners and developers who did the eCommerce website before the business departments, which run their own. Porwal so far the corporate audit from KYC perspective, regulatory in the data protection officers. So it's that easy. And you have to figure this out. You have to look at your organization. So how should your organization change? How must it change? And you can look at different ways to run a consumer identity model. It can be chaotic. So no central management build that work with GDPR and other regulations. It can be integrated. So one consumer identity management, but operated by business, or it can be more service driven, bimodal where you say, this is an it service, but business managers that use it or to very technically leave it in the business. I have a big friend of doing it, service driven, BMO bimodal here.
So saying this is an infrastructure provided as a service, maybe just procured as a service management used by business. Should we split or join the consumer identity management of the employee, identity management, their arguments for both Ryans, for a combination, for everything. My perspective is at least you should have a picture of everything where particularly in the identity, as a service base, things are a little bit converging. The one most, the most important thing here is define your sort of one. I am strategy to integrate everything world there might be, and there will be most likely a couple of tools, but it's about having one strategy. One approach in that. So within business, the recommendation would be having a central consumer identity management managed across all the business department between business and it it's consumer identity as a service and for employee identity management to consumer identity management, it should be integrated view on it based on more than one service, but with an integrated view with that, I'll come to my final slides.
What is also important in this entire context start fighting the culture of compliance. So don't look at all these changes only from a negative perspective, look at opportunities. There are opportunities starting with creating a utility. If you design stuff with security, by design and privacy, by design in mind, you're flexible to adapt to new regulations. And then also think beyond the minimum level of compliance, do it once, right? And you will be safe for a while regarding new regulations and the pressure from auditors, but you also might use it for increasing competitiveness. Yes. There's more pressure look at it. So when you look at PhD to consume your own APIs, under one of others, become a provider, become competitive by understanding your opportunities, not only the threats and that's true for GDPR as well, provide a better authentication to your customer for instance, when you're in GDPR and for business.
And when you look at GDPR, my final slide, the business opportunities of GDPR is there are some very obvious ones. The one is a European view and U view. I have to say it means fairness in competitions. So there are same regulations for everyone doing business with U residents, regardless from where it does, that's an opportunity for EU based organizations. The other thing is content means clarity. So if you have content, then you can act on the data. Sometimes today it's more a gray area. You also need to demonstrate value to your customer to gain content, which is a challenge, but which could also increase custom loyalty. The customer knows what you do with the data and why you need it and what he gets for it. And you also could become when we look at data, portability the target, not only the source with that and some of these sorts I hand over to carnet, we will then do the second part of the presentation and talk about a different content needs of GDPR and PST two carnet it's your turn.
Okay. Thank you, Martin. Welcome everybody. My presentation will be focused on consent in the new world. Martin just described with both GDPR and PSD two, the topic consent is really on the rise specifically around the use and the processing of personal identifiable information. You should have not compared this to the European union cookie legislation, where Martin already mentioned about where you constantly had to approve the use of cookies. Every time you visited a website, consent is something you gave and will last till you withdraw it. And you can extend the purpose of a consent and reduce it. And the company needs to document it. It is as such a real lifecycle topic. Like we have seen an identity and access management in the past with join us movers leaves in the enterprise domain. Now you have consented. Join us movers leaves in the consumer domain, and it requires the same kind of capabilities of the management platform to offer self-service, to give transparency, to keep records, to allow changes. So nothing new in a way, besides it's not really a standard capability of most current identity and access management solutions, but that's going to change because they can't stay away from management as part of it,
GDPR and PSD two already mentioned they have specific consent requirements dictated by law. There are, I have two other topics I want to talk about more market trends that are really strong on consent. That is the internet of things. You may have thought of that before. And it's Uma user managed access, which is a new, new trend or a new standard in a way in the next slide. So we'll go to each of, of these to show where consent is a requirement and where you need to arrange something. So consent in GDPR. Martin already mentioned a couple of points, like show an by statement, clear affirmed action, withdrawal of consent with a GDPR. That's not only the term consent. There's also a very strict definition of what is allowed as consent. And there are many, many exceptions. If a company needs, for instance, your address to send to your home, the book you just ordered, you do not need to ask consent.
As it follows out of the so-called contract of buying a book, it's very clear for a consumer where the address is for, and only for debt purpose and for debt moment, a company can use that address. So what if the company wants to store the address for any further orders, which is convenient also for user, then they need to ask consent as the action of storing the data is a processing activity that is not necessary to execute a current contract, which was buying that specific book. And you don't have any future one yet in place like buying a future book. So they have to ask consent. So here it becomes complicated in a way. Then there's an additional layer of complication when it comes to sensitive data, which can be like religion or race, a company needs to ask so-called explicit consent and explicit in this case means that this choice has to be asked specifically, and that you have to take a separate action, like taking another box to confirm.
So you get a slower response, basically with more tick boxes to get real confirmation. And of course, companies need to, to put that and document it. GDPR also dictates companies need to keep track of all consents given and that you have to take, sorry. So all consents given it should be all of the ball for all of this and transparency for consumers, and you can't ask consent for something you should be freely given. And if not freely given don't deliver a service as a result of it. So you can't basically dictate consent. And then say, if you do not press these buttons, if you do not allow us using this, then we are not gonna enroll you to, to the service, unless in certain cases where you can prove that you need that kind of information, think of birthdates because you are having online media like movies.
And there's an age restriction on that specific movie. And there's a law dictating that, which brings me to the next stopping. You can't ask consent to a child that is under the age of 16 and in some countries, and think the UK are the laws getting to the 12 years old. You really need to ask consent to the parents. So this introduced like more or less parent management or family management in that, in that way. The whole idea of this is from outta the GDPR to give control back to the consumer for the use of his personal data, as it has to stay their data and not for a company to freely use for whatever reason and not protect, protect well at the same time. So like Martin says, it's not enough to just ask consent with a tick box or a cookie. You really need to range a lot more than that.
Then consent in PSD two, just short summary of it, basically because there's a lot around it with PSG two, where financial information is disclosed to third parties, it's close to create a consumer needs to be asked for consent of sharing his financial data. This is very private data. So that does make a lot of sense. Using the data for marketing purposes is also like raising religion in the GDP use case only possible with explicit consent. So it makes it a little bit more difficult. So if you just give consent of using your financial data, you don't give consent of using it for marketing purposes. So without consent you have nothing is really a key topic for PSD two and trusted TPPs third party payment service providers will get easy consent from a consumer then uninterested once. So it's really putting competitive edge to it. And most of the banks have to compete basically with these TPP or become also a TPP in a way.
Then another topic that has a large consent page is basically user managed access Yuma, which is a Canara initiative standard draft standard will play a strong role when it comes to the exchange of personal data between two parties, all under the control of that same consumer, it will further strain the control of consumers over their personal data, and it will make life easier for them. As we all hate to exchange information by hand photocopy and more, we are living in this digital world anyway, and this part exchange of personal information between different legal entities, different companies is still quite immature. So here also for Omar, you have consent and you have to have some consent management taking place. Then the one that is maybe less obvious is O T TDR itself has an impact on, on IOT. And, and we have the thought of that.
Well, think twice, these devices contain a process and process personal data, and they are getting smarting in letting you use the outcome or using the outcome for all kind of decision making, even marketing to lower down the temperature of your house when you're not at home till detecting. If, if it's time to offer you a more suitable subscription on, on something. However, most IOT devices are just not smart enough to communicate difficult consent with the consumer itself. And for GDPR, you have to follow the right steps. No presumed consent for instance, is allowed. This will mean that consent management needs to be outside the device or the device needs to be much smarter. And if outside the device, you have to stay in a kind of trust circle or triangle between the consumer, the device and whatever keeps track of the consent.
So looking at consent and privacy regulation, it's pretty clear. Some things are really must have. If you don't comply, you risk a fine, a substantial fine. Most of these are already mentioned in the presentation of, of Martin. So on an attribute basis per purpose, easily to be to withdraw has to be freely given and specifically looking at the us needs to be opt in, not what I stand, use opt out, but there's also consent functionality that would give the user a better feeling around transparency around privacy and data. And these are more in the nice to have. So mention here, overview of all your consents that you gave possibility to withdraw them at the same place. And a consumer would like to see when the consent is really being used. So in order trail on it, but these are more like nice to have as they are not really regulated. Now that we have seen that consent is getting everywhere. Where should we put consent and consent lifecycle management? Well, our suggestion is as close to, as you can get to the consumer and still protect everything in the proper way, the best way would be to add it to the, my profile base of the consumer itself, because that's where all the personal identify information is extended with consent information, consent controls, preferably in order trail, they can read and understand that system will then be the authoritative source in a way for PI and for consents.
It's important to know that whatever you do with GDPR and or PSD two, and you have to do from a company perspective, the consumer will from 2018 almost be in control if they like it or not. If companies like it or not just be prepared, this is a big change
With all these consents. Are we not getting into the same problems that we had with IM access rights? You're never really fully in control, maybe not as we start pretty Greenfield. Now you have the opportunity to manage the life cycle from the start in a proper way, manage the life cycle of consent, ranging from extending the scope of use to multi value and withdraws let's call that lifecycle management or consent lifecycle management, because that's basically what you are doing around consent or what you should be doing around consent. Now let's go a little bit deeper in how we at ICOM build, build in consent for the GDPR use case, but also for the other examples, in a way multilevel consent per attribute, we created a flexible identity store and attach consent information, right to the source. So you can't lose it. You will keep track of it.
And it's always available for the consumer to view and for the company to use. So how does that look like? So how does the data model looked like? Basically what you see here is there's typically old fashioned golden record where you have things like first name, last name, date of birth could also be access to certain services or products, identification, numbers, and, and, and you name it size of your shoes. So it can be as, as much as can think it's information around the consumer itself, it's profile information, what we had done. And I made in blue, all the consent related things, we add a load of metadata to every attribute. So just a small box that you see here, but it could be a little bit over a hundred items. So on every attribute you have a whole set of metadata talking about expiration date, data classification, when it was last changed, who changed it.
But in this case, in the blue area, where that, that consent, where did the information came from, was consent given together from there was the, the purpose approved. When did you consent it? And specifically when there's also parental control in place, because the child is less than 16, if it is in, in place here and who are the parents that control the consent, if you connect all these metadata to the identity, record, this golden record, then everything is at one place. And if you have everything at one place, you're creating all that context around that data. And you can also enable it through APIs. So you can have policy driven, data management or consent management, or any other APIs directly interfacing with the, the consumer's profile information. And this makes it very strong because everything will be in control and things that are not allowed should not be able to just write things in the, in the golden records.
It will always go through the APIs and it will always be policy based. And then to give access to the consumer, you won't have a UI UX to give that access. So a consumer can log into its profile based and see all this kind of information. You can visualize things like if things came from Facebook, if consent was given, if there's a data retention on it, you name it. And then on the right side, your applications. And of course also our applications in our identity as a service service use this, these APIs in the same way, it's all open. Then how does that look? This is the, my profile base in the bottom side of the privacy base, you will find consents that were given the purpose of it when you accepted it and will give you the possibility to change the consent, even to withdraw the consent. And as you can see, it's on an attribute level base.
And then now we are looking a little bit more deeper into the future. So this is really just an example of timeline. So looking forward to both and IOT things, one we'll see, and this is future look into our product that a timeline can create transparency on where your data is being used. It shows when you approved post or withdraw consent and it'll allow you to immediately intervene if wrong things happen in PSD. Two, one could keep track of what TPPs at that moment with what purpose requesting your classic bank for details on your savings account. So you really have track on what, what is going on it'll show for Uma, what hat hundred is requesting information from the university you went to of course, with your consent, but that was two years ago. So maybe we draw that consent, or you should have made the consent with a, a shorter timeline.
Would you trust a company that is so transparent on the use of your personal data? Question yourself. If you are a company that offers this kind of transparency, would you, if you are the consumer also feel this is more trustworthy because trust is really the key word here. If they trust you, then they're gonna allow to do more service. They're gonna share more of the information with you. You will know more around your customer and for the, for the, for the customer or the consumer in this case, they are back in control and hopefully they will like it. At least I would, but that's the thing that that will be upcoming. And tha thank you very much for listening to this presentation. And because I only got 20 minutes consent from Martin, I pass it back.
Okay. Thank you. Carne. I think you not even fully used sort of what I gave to you. Give me a second to switch over the moderator. Yes. Yeah.
You still have 20 minutes left, so, okay.
So we still have a couple of minutes left and so it's time for the Q and a session right now. We already have a couple of questions here and I'm very open to receive more of these questions. So let's start with this one. So we talked a lot about purpose and what is purpose related to, so it's just saying the entire business, or are more generic things like I use it for marketing purposes or I resell it, or I use it to, to, to manage your user experience or so what is the level of granularity we have to look at purpose. K, could you answer that?
Yeah, it's, it's a good question. And we get it a lot, the thing with purposes, and certainly in the past, they were like the ones, the examples you just mentioned, they were quite vague. So a company could do a lot with it, but that's not well informed. So it's not, it does not fulfill the requirements from the GDPR. So you have to be more precise. What is really the purpose? What's really the processing you will be doing with that data. And if it is for marketing purposes, you should say like, it is for sending you a monthly newsletter. If it's forgiving a better user experiences would say that because of online profile and you will give products that are more in line of their interest. So you have to be a little bit more precise, but yeah, going in very detailed, that will be a little bit too far, but better.
And, and clearly as always with new regulations, there are some gray area.
Exactly. Yeah. We'll find out where that, where that gray area is.
But I think it's very clear that the area is not too big, that gray area. So it will change the way we have to deal this. So this is definitely one of the areas you have to change. Another question in here is, so if you already have data way labeled from your customers. And so I think there are two scenarios to one is clearly you have data collected and you want to another purpose, then you need to consent for it. But what happens with the data you have before had collected before the GDPR becomes effective?
Yeah. You, you can't fully use that data. So the, you can use the data within the context of what was around that contract or the type of business that you've done with, with that consumer. But if there's anything that he could not think of himself, or that was not clear anymore, you have to go through the consent flows again, or you have to go through consent flows. So in a way it's not freely, like if I collected before the GDPR is in, in full force, by the way, it's already in full force now, but it's not enforced. It means you can't just use that for anything. That's not, that's not allowed.
Okay. There are so many questions coming in. Maybe that one fits well to the, to the one thing you, you said is, is there a need to actively trigger the consumers for obtaining the consent?
So, yeah.
Yeah, it is. I would say very simple. Yes, you have to ensure the next time they come back or if they don't come back, you have to inform and say, okay, I want to add that purpose and I need to consent. So there, there are a couple of, I would say a number of things which, which really are around. I think another interesting question I have is here. It appears, so consent is changing from a static to dynamic concept. So how can a company manage numerous consent request programs and through the right consent request, consent is request at the right time and the right context. Yeah. I think this is a very interesting question. So if, particularly, if you have different purposes, different divisions, different different products and services that can become rather complex.
Yeah. And, and it's a given that you will have it certainly when you, when you look at the consumer, being our customer, being, being in your system for a couple of years, no doubt. There will be additional consents you want, you want to ask, and that could be on the same data. So it could be on, on the date birth for instance. So what we've done in our platform is a multi value consent flow. So we have multiple purposes on the same, the same attributes with specific consent with the date consent was given. And we can give that consent through like open ID connect or O out request towards the, the request and web application that you offer to the consumer. So it is at hand basically real time for immediate use by the application itself.
Yeah. I, I think that that's, that's one element. The other thing is I, I think it also goes to the organizational side of how do you deal with that? Well, I, I touched the organization a little and it's very clear. You can't go out and say, I trust let every part, every department do it itself. You need to have a standardized central infrastructure. You should think about what are my sort of enterprise level policies, what are things which are consistent across the entire enterprise? What are the things which are done, not at the enterprise level, but at a regional level or a divisional level. And what are the things which have to be done at the level of an application you need to implement the governance framework for, for that. So how could this framework work look like? Which levels do you have, which control supply, et cetera.
So it's, I, I've only seen it at one customer currently who really thought about it. So we advised them on that. But clearly this is one of the challenges in this context, you need to, to, to understand where is the data who is dealing with it, where is consent required, which other regulations apply? How do you do do it in a, in a consistent way so that you don't ask, for instance, a customer who's using couple of services multiple times for the same consent that also does make any sense. So I think there, there are a number of very interesting things and creating organization on that definitely is one of the, the, the interesting and, and, and important areas here.
Yeah. You, you touched a good point there. So if applica different applications or different departments have different applications to offer to consumers, if they keep track of consents, then the consumer will get multiple consents. But if there's a system in between that basically needs to get that consent, then that system has the overall view of the consents that were already given. So we'll not request the second consent on the same kind of purpose. Yeah. So it's, it's really centralizing this. Like we did with preference management in the past, basically consent management is just another thing. It's a little bit more complicated. It has more of a life cycle, but, and then you have the backend systems. You already mentioned it. You need to really dive into where PII information is, how to keep track of it. If all that information has a purpose on it, if it's from out of contact contract point of view, you can use it so that this is a big exercise on the compliance side too, to the GDPR.
Yeah. And at the end, it's about, I think for, for, for that per aspect and for the aspect of how can you get a complete view of your customer to also for instance, revoke access to, to that data at a certain point of time? I think a very important aspect is you need to have sort of a, a unified view on the consumer identity. So you need something to manage the consumer identity consistently centralized and to manage, to consent around it. Okay. Another question. So we have many questions here, assuming I use a third party data processor is constant transferable, or does it, that's the third party processor to acquire consent by himself as well here, it's important to differentiate. And currently you might add to this between three involved groups of entities might be organizations, might be persons. One is the data S that is the one whose data is collected. That's the one whose data is processed. It might be the customer. Then we have the data processor and we have the, sorry, the data controller. Exactly. The data controller is the one who has to care for the consent. The data processor might be then the one who acts on behalf of the data controller. Correct. I think that's basically the play here. Carney.
Yeah. Correct. And the data subject has to be asked consent by the data controller. And if he uses the processes for that, that's, that's fine, but that's how it's done. So the TPP has to keep track of their own consents and they can't pass consent to another company.
Exactly. Because you give the consent to your data controller to do something
That yeah. And that's the legal entity and it doesn't pass. You can't pass it over to somebody else.
Okay.
Because that would be a data controller and they have to ask the data subject themselves. So you can't just pass through.
Okay. Another question. I think it's one I, I just recently had in another location, but I think it's, it's an important one. So with the Brexit, the U UK still affected when they are not aneu member anymore. And what happens in between again, Corona, you might Azure.
Yeah. Well, Brexit is an interesting topic because you could think that UK doesn't have to comply to the GDPR in 2018, but I mean, it's all over the news. It will take them two years to really end the EU and, and really being loose from all the obligations that they have there. So still 2019, mid 2019, there will be, have to be GDPR compliant. And after that, they, they still need to do business with U consumers and have to have an alike system as the GDPR. So we expect them to have something that is quite similar to that, to make it easier to for their business too, to business with consumers.
And, and I think there are, there are two aspects. The one is what, what about a business with you? Resident data S there, GDPR always will apply regardless whether the UK is in or out for doing business with non UK non-EU residents, the UK will have more flexibility, but to be realistic. And, and if you look at, for instance at Singapore, Singapore also has a very strict data protection law, which is not that far away from, from the GDPR. I think there might be some tendency based on that, that, that we see some sort of standardization at a higher level, because for doing business in certain regions, you will have to comply to very strict laws. And if you can comply with this laws, why, why, why not they doing it sort of right. Everywhere clearly, it's, it's, that's also an interesting point. So if you're doing business in certain regions, you might also need to be flexible and to say, okay, this one, that's the, the rules which apply here.
Here, we have to inform about terms and conditions in a different way than there, which again means you need some sort of a layer approach where you say this is central. This is our baseline, what we do across the entire organization. And that region, we do this part differently. So maybe a little more lax on, on content and other regions, very strict on content. There might be different attributes, which are considered being very sensitive and you need to really create an organization and global, if you're a global organization, you have to have a global concept for dealing with privacy, with customer identity, with all the related stuff. Then also, I think goes back to another question which came in. So con central concept management or siloed one, how does a good approach look like? So I think I just gave Matthias or Connie. You might want to add here.
Yeah. The same answer basically. It's you can't go for a silo approach. It will hurt not only you, but also the consumer itself. So I wouldn't go for a siloed approach, but look for a central one.
Yeah. And not only look at it from a technical perspective, you have to understand who who's in charge of what and that. So think about the organizational aspect. Think about governance, create a consumer identity and sort of consumer data, consumer privacy governance approach define the controls and all that stuff. So we have still a couple of questions left, open. What I propose is we take one, one last question. If you have more questions, just enter them. And we might then respond to the questions, particularly ones we didn't answer, but maybe more depth on some of the questions we had here. We might respond to them in a, in a blog post. We will publish at our website and maybe I welcome website as well within the next couple of days. So the final question I'd like to take here is in what area of it also something we already discussed shortly, but not really in depth does constant management follow. So is it more, a CRM thing is it's an identity management thing. Is it master data management for all the various, whereas for, so, so for creating one combined view in the consumer, so what is the right way to look at it?
Yeah. How we look at it is that you have to be close to the consumer because of the, the GDPR. He has to change his information, withdraw it, transport it, et cetera. So the data has to be anywhere close to the consumer. If you put consent in, in one of the systems that are more in the back, like an MDM, then it's not that easy to open that up for a consumer to change it. So, but it's not undoable to put it there. I would say closer to the consumer and a cm solution or a like would be a good, good place to, to do it.
Yeah. And you should understand how this cm solution interfaces to your sort of enterprise or employee IM for all the systems to hold some of the data or which might be accessed directly or indirectly as well. So look at it also from a bigger picture, created bigger picture created strategy. So as I've said, we have a couple of questions left. We will cover these questions in the block post. Right now, we are close to the top of the hour. So I'd like to thank you very much to all the attendees of this webinar. Thank you very much Carney for your presentation. I hope it was very interesting to you. There will be more events and don't miss the European identity and cloud conference where GDPR also will play a very important role in the agenda. Thank you.
So we do, and I'll talk about this in a minute, including our webinars, but also a couple of onsite events. And we do advisory where we act as a mutual partner on providing independent advice. For instance, selecting products and building strategies, defining roadmaps cetera from events perspective, there are two important upcoming events. In fact, one series of events and one other went. So the closest one is European identity in cloud conference, which will be held in May 9th to 12th in Munich. It's the 11th edition of this conference and it's sort of the master 10 conference around ID security and related topics in Europe. And then in the August to November timeframe, we will do our consumer identity work to with three locations, which are Singapore, Seattle, and Paris. That's it from sort of the information about keeping a call and the upcoming events regarding the webinar.
You are muted centrally, so you don't have to mute around mute yourself. We will record a webinar and the recording will be available latest by tomorrow. And there will be a Q and a session at the end, but you can end the questions at any time using the questions feature in the go to webinar control panel. That's the control panel, which is usually at the right side of your screen. The more questions we have, the more likely the Q and a session will be. So don't hesitate to enter your questions right now. Let's look at the agenda as usually it'll be split into three parts. In the first part, I will talk about how to include a compliant and business oriented cm. So consumer or customer identity, access management strategy into your identity and access management program. But I also will look at some aspects around the driver.
So the GDPR and PST two driver, some organizational aspects, etcetera. And the second part in Corona, we'll talk about the different needs of GDPR and PST two. And he will talk about a step by step approach to implement the lifecycle management focused cm into your enterprise infrastructure consent and how to deal with consent will become one of the most interesting, fascinating challenges in that space. Okay. So let's move from here. I wanna start a little bit high level with the digital transformation, because at the end, a lot of what we are seeing here, particularly around consumer identity management is really driven by the digital transformation and the digital transformation. Yes, the password of the year, not only of this year, it's a password to some extent. On the other hand, it is really describes a fundamental change in the way we do businesses. So there are a couple of external drivers.
So amongst these external drivers, we see a change in competitive landscape. If you look at automotive vendors where Tesla right now is a challenger to traditional automotive vendors, if you look at the changes in banks, I'll touch us later on in the context of PST two and many other businesses, the competition is changing, which means you need to be more innovative. You, we see a lot of business models, also changing from a product to a service business model. So use the car whenever you need it, but don't buy the car anymore. Everything becomes connected. And then we have this area of ever increasing attacks on 100, the ever changing regulations on the other side. So we have more, more regulations. And some of these regulations will massively affect how we deal with customers and consumers in the future partnerships and so on. So organizations need to be more agile, more innovative, more flexible, and we will touch this organizational aspect.
Then when we talk about where does consumer identity management really belong? So there are some key topics. If you're manufacturing organization, clearly it's smart manufacturing, it's the internet of things and it's in particular. So to speak, know your customer, but not only in the regulatory sense, but also in a sense of know, as much as you can about your customer serve the customer perfectly well. So there are various technologies we need to look at. And if you look at these technologies, yes, there's blockchain, there's cognitive and AI, there are sensors, but there's some particular identity. So understanding the identity of your customers, understanding the identity of things, understanding which things devices are associated with such customer. And then on the other hand, more on the lefthand side of that picture, the security and privacy. So we have this change, which is one fundamental evolution we are facing to today.
The other is that we also see a change in many industry regard industries regarding regulatory burden and used to the finance industry because the finance industry clearly is the ones which was most under pressure. So back in the year, 2008, 2009 was the financial crisis. A lot of regulations were say introduced or massively tightened was first. Our additions made over time. Next year space three affecting the, the capital side of banks became effective a little later. Then we had in 2015, for instance, in Germany, the it security law becoming effective, which looks at a critical industries and finance amongst many other industries is considered being a critically critical industry. And the cost of compliance, the total cost of compliance was growing and continues to grow. And right now in the, within the next 14 months, we will have two other important regulations in the EU becoming effective.
One is PST two and the other C U GDPR. So PST two is the payment service to revise premium services directive. So this PSD two, the second one and the other, the huge GDPR is the general data protection regulation. And they will lead to an ever increasing cost of compliance. And we will have changes in that space. And what we also should think about when we look at all this, it's not only what does it mean as a burden, but which is the common approach, follow the regulator, follow the auditor, but also look at how could we, how could we change sort of the game here in, in the sense of on one hand, there's the cost, it's the competitiveness. There seems to be no benefit, but isn't there is there really no benefit or can we create such benefit? That's where I will end up then with my presentation.
So this is the sort of the scenario we are in and GDPR, as I've said, one of these regulations. So until now, so before GDPR, every U member state has its own data protection laws with GDPR, we have an U rule, which is binding and which is accompanying national laws. So the point in fact is if it's called a regulation or directive, so directive says you have to do it, your legal law in your local law regulation over rules, the local law, there might be some exemptions, but basically that's sort of the difference. And it's even a little less than 435 days to go right now until it becomes effective. And one of the most important things in there is what I have on the, at the upward, at the lower side of the, the right hand side, it binds businesses established outside the EU to the European standards when they are operating in the EU or the related economic region, which in fact means simply said, if you want to do business with EU resident people, the GDPR applies.
Even if you're based in the us, even if you're based on Asia or somewhere else, this is I think a very important thing. And so when we look at this, for some reason, my PowerPoint chose it again, there are some key aspects to understand about a GDPR. So one of the most important ones is unless another legal basis in place written contract fact consent is required prior to processing personal data. You need consent. And this, this is the big change in the combination has to be freely given, informed and ambiguous. And it needs to consist of clear statements of affirmative action. So saying, oh, I use a cookie and I might do with your data. Whatever I want is not sufficient anymore. It's explicit informed, and it's per purpose, which might be revoked again. So you can't say I collect the data under the later point of time, you say, okay, I used for something totally different.
It's really about saying, I need content per purpose. And if I add a purpose, I need to get the content for this new purpose, which is a very fundamental change then, okay, you need data protection officers, which can be external. There might be scenarios, or there are certain scenarios where you need to run additional data protection, impact assessments. For instance, if you are super supervising public places, et cetera, or dealing with sales data, interesting data breach notification within 72 hours, which is a short period of time. And you need to be prepared for that massive data control rights. So the right to be forgotten the right to freeze data processing of your data. So I can come and say, okay, for now, you're not allowed to use my data. I might request the data to be exported and edited. I have to write of data probability, even, which is interesting because if you look at the data models, unless you have an understanding of where is which part of the PII is stored, you will not be able to comply with these regulations. So if it's sprawled across a lot of systems and you don't have a clue where it really is, then you will be definitely challenged. Oh yeah. And you have to be privacy by default and design as a mandatory thing. So this sounds very massive and it can be very massive depending on where you are today. So how big is the real impact of that? I think it's easier if already, if there are already strong privacy regulations to more, you have to do today, the easier it is.
Do you have one purpose of your business or multiple ever changing purposes? So if you have changing purposes, you will have to ensure that you always have consent, a DPO in place, easy for Germany, where it's something you have to have in other countries far more difficult. There might be some country specific exemptions, which make it easier for you. But the challenge is if there are too, so sort of trying to weaken the, the, the GDPR too much, the European court of trust is most likely will not accept these. Are you technically able to support the requirements such as the right to be forgotten the consent purpose, etcetera, you need a platform which supports you. You need a data model, which supports us. So you really have to look at your, the way you work with PII, with customer data, et cetera. Then based on that, you might have identified that you have major requirements to change the way you handle PII.
Are your applications dealing with PII built according to the principles of security by design and privacy by design. So there are several aspects. And so if you're already as a good in dealing with privacy challenge will be less. If you're not as good, it will be bigger. What happens if you don't comply finances and sanctions up to 4% of the annual worldwide turnover of the group or 20 million Euro, whichever is greater. So where significant. And so there are various reasons to, to impose a, a fine, I don't want to go into detail that much, but we I'm absolutely sure that we shortly after the May 28th next year, we'll see a number of lawsuits starting around that, which is I think very, very logical because privacy is a very sensitive topic. And there are various parties which are interested in such lawsuits. So this is a very high level and very quick overview of GDPR. What about PST two? So PST two, it's another regulation, totally different. One PST two comes into play when it goes, when it's about payment services and it changes a lot of stuff around payment services.
It also means in many scenarios, you have to change the way you, you work with customers. So, and that's where I wanna come to. So there are basically two major technical requirements. One is strong customers, location, which in most cases with a couple of exemptions that you have to have a two-factor syndication place, unless it's less than 30 euros or an unattended payment machines. So like, like in the parking lot, etcetera, and you need to open APIs fact as interfaces for so-called AI piece and PI PSPS IPS are account information. Service providers, PSPS are payment initiation service providers. So these are in fact other parties, which are then able to do part of the business, which traditionally has been done maybe by a bank. So this, they are called serve party providers, these two, and they can access the target of EU. The explicit target of this regulation is to foster competition.
And as IPS and PSPS have less re burned by regulatory compliance. So they can in fact build the interface to the customer by saying, okay, I provide something which allows you to access all accounts at all of your financial institutions, or to run all your payments through my service, which is a challenge for an established bank, because it means they're someone which sort of tries to build a face to the customer. They might be more agile than established players and take an ever growing part of the business. It means banks in that case have to rethink the way that they lose customers. They need a totally different way to interface to customers. Basically, they're a little bit harsh. Maybe you can't ignore and die the situations, but then your customers are in your customers anymore. The TPPs will dictate your business model because they are the one who will bring the business or you get Moreira trial interface with either built interface to the customer, be the one who provides consumer identity and access management as part of that and dictate the business model.
So that also means that that your organization will change and you will have to create layers where you say, okay, you have traditional customers and traditional services, but you also will have new banking services and new types of customers. And you will have to operate in different speed around your core banking business. So with traditional applications on the top and the modern applications, sort of on the lower part of this picture, and that's where, where things like consumer identity and other stuff, and Corne will touch this more in his part come into play. And we have to be clear about consumer identities are totally different in the enterprise. No, not a total difference, but there in some areas, they are really different from enterprise identities. So for enterprise identities, you start with security for consumer identities. You start with convenience. If you're a bank, yes, your other focus will be security, but there are really different requirements here.
So for, to serve your customer well in the future, it's not about saying, this is the way to authentic. It's about saying I support everything, which is good enough if you want, because make it convenient to the customer. Think it, I think it authentication all the other stuff from the customer, not from your enterprise and management view. So what you need to, to, to, to be, to do, to be successful is you need to create trust. You may need to make it usable and success will be there. If you provide your alternatives to your customer. And one element that this is to shift from identity management, regional IM identity access management to consumer identity management, to a more modern, not only regulatory view, know your customer and know your customer better should be no serve your customer. So traditionally, we had this view on use lifecycle management, single sign on privilege management with consumer identity management.
The customer journey moves in the center to the center of the attention, the relationship management, who is part of a family, etcetera, the adaptive authentication, the one view in the customer, the customer data integration extremely important in the context of GDPR, all these things coming into play. So it's sort of, I am a scale plus customer experience. And when we then go one step first, or it's really the automated customer interaction, the analytics, but also the privacy and information protection, including the anti money laundering stuff. So it's even one step bigger moving there is not easy because there are so many involved parties, their sales, which traditionally owns the customer in marketing was the marketing automation. There's C it, which is the identity management. Oh yes. There might be the CDO or chief digital officer, chief digital business officer where organizations say, oh, the customer has a totally different role right now we must serve from differently.
And there are some other parties. So the website owners and developers who did the eCommerce website before the business departments, which run their own. Porwal so far the corporate audit from KYC perspective, regulatory in the data protection officers. So it's that easy. And you have to figure this out. You have to look at your organization. So how should your organization change? How must it change? And you can look at different ways to run a consumer identity model. It can be chaotic. So no central management build that work with GDPR and other regulations. It can be integrated. So one consumer identity management, but operated by business, or it can be more service driven, bimodal where you say, this is an it service, but business managers that use it or to very technically leave it in the business. I have a big friend of doing it, service driven, BMO bimodal here.
So saying this is an infrastructure provided as a service, maybe just procured as a service management used by business. Should we split or join the consumer identity management of the employee, identity management, their arguments for both Ryans, for a combination, for everything. My perspective is at least you should have a picture of everything where particularly in the identity, as a service base, things are a little bit converging. The one most, the most important thing here is define your sort of one. I am strategy to integrate everything world there might be, and there will be most likely a couple of tools, but it's about having one strategy. One approach in that. So within business, the recommendation would be having a central consumer identity management managed across all the business department between business and it it's consumer identity as a service and for employee identity management to consumer identity management, it should be integrated view on it based on more than one service, but with an integrated view with that, I'll come to my final slides.
What is also important in this entire context start fighting the culture of compliance. So don't look at all these changes only from a negative perspective, look at opportunities. There are opportunities starting with creating a utility. If you design stuff with security, by design and privacy, by design in mind, you're flexible to adapt to new regulations. And then also think beyond the minimum level of compliance, do it once, right? And you will be safe for a while regarding new regulations and the pressure from auditors, but you also might use it for increasing competitiveness. Yes. There's more pressure look at it. So when you look at PhD to consume your own APIs, under one of others, become a provider, become competitive by understanding your opportunities, not only the threats and that's true for GDPR as well, provide a better authentication to your customer for instance, when you're in GDPR and for business.
And when you look at GDPR, my final slide, the business opportunities of GDPR is there are some very obvious ones. The one is a European view and U view. I have to say it means fairness in competitions. So there are same regulations for everyone doing business with U residents, regardless from where it does, that's an opportunity for EU based organizations. The other thing is content means clarity. So if you have content, then you can act on the data. Sometimes today it's more a gray area. You also need to demonstrate value to your customer to gain content, which is a challenge, but which could also increase custom loyalty. The customer knows what you do with the data and why you need it and what he gets for it. And you also could become when we look at data, portability the target, not only the source with that and some of these sorts I hand over to carnet, we will then do the second part of the presentation and talk about a different content needs of GDPR and PST two carnet it's your turn.
Okay. Thank you, Martin. Welcome everybody. My presentation will be focused on consent in the new world. Martin just described with both GDPR and PSD two, the topic consent is really on the rise specifically around the use and the processing of personal identifiable information. You should have not compared this to the European union cookie legislation, where Martin already mentioned about where you constantly had to approve the use of cookies. Every time you visited a website, consent is something you gave and will last till you withdraw it. And you can extend the purpose of a consent and reduce it. And the company needs to document it. It is as such a real lifecycle topic. Like we have seen an identity and access management in the past with join us movers leaves in the enterprise domain. Now you have consented. Join us movers leaves in the consumer domain, and it requires the same kind of capabilities of the management platform to offer self-service, to give transparency, to keep records, to allow changes. So nothing new in a way, besides it's not really a standard capability of most current identity and access management solutions, but that's going to change because they can't stay away from management as part of it,
GDPR and PSD two already mentioned they have specific consent requirements dictated by law. There are, I have two other topics I want to talk about more market trends that are really strong on consent. That is the internet of things. You may have thought of that before. And it's Uma user managed access, which is a new, new trend or a new standard in a way in the next slide. So we'll go to each of, of these to show where consent is a requirement and where you need to arrange something. So consent in GDPR. Martin already mentioned a couple of points, like show an by statement, clear affirmed action, withdrawal of consent with a GDPR. That's not only the term consent. There's also a very strict definition of what is allowed as consent. And there are many, many exceptions. If a company needs, for instance, your address to send to your home, the book you just ordered, you do not need to ask consent.
As it follows out of the so-called contract of buying a book, it's very clear for a consumer where the address is for, and only for debt purpose and for debt moment, a company can use that address. So what if the company wants to store the address for any further orders, which is convenient also for user, then they need to ask consent as the action of storing the data is a processing activity that is not necessary to execute a current contract, which was buying that specific book. And you don't have any future one yet in place like buying a future book. So they have to ask consent. So here it becomes complicated in a way. Then there's an additional layer of complication when it comes to sensitive data, which can be like religion or race, a company needs to ask so-called explicit consent and explicit in this case means that this choice has to be asked specifically, and that you have to take a separate action, like taking another box to confirm.
So you get a slower response, basically with more tick boxes to get real confirmation. And of course, companies need to, to put that and document it. GDPR also dictates companies need to keep track of all consents given and that you have to take, sorry. So all consents given it should be all of the ball for all of this and transparency for consumers, and you can't ask consent for something you should be freely given. And if not freely given don't deliver a service as a result of it. So you can't basically dictate consent. And then say, if you do not press these buttons, if you do not allow us using this, then we are not gonna enroll you to, to the service, unless in certain cases where you can prove that you need that kind of information, think of birthdates because you are having online media like movies.
And there's an age restriction on that specific movie. And there's a law dictating that, which brings me to the next stopping. You can't ask consent to a child that is under the age of 16 and in some countries, and think the UK are the laws getting to the 12 years old. You really need to ask consent to the parents. So this introduced like more or less parent management or family management in that, in that way. The whole idea of this is from outta the GDPR to give control back to the consumer for the use of his personal data, as it has to stay their data and not for a company to freely use for whatever reason and not protect, protect well at the same time. So like Martin says, it's not enough to just ask consent with a tick box or a cookie. You really need to range a lot more than that.
Then consent in PSD two, just short summary of it, basically because there's a lot around it with PSG two, where financial information is disclosed to third parties, it's close to create a consumer needs to be asked for consent of sharing his financial data. This is very private data. So that does make a lot of sense. Using the data for marketing purposes is also like raising religion in the GDP use case only possible with explicit consent. So it makes it a little bit more difficult. So if you just give consent of using your financial data, you don't give consent of using it for marketing purposes. So without consent you have nothing is really a key topic for PSD two and trusted TPPs third party payment service providers will get easy consent from a consumer then uninterested once. So it's really putting competitive edge to it. And most of the banks have to compete basically with these TPP or become also a TPP in a way.
Then another topic that has a large consent page is basically user managed access Yuma, which is a Canara initiative standard draft standard will play a strong role when it comes to the exchange of personal data between two parties, all under the control of that same consumer, it will further strain the control of consumers over their personal data, and it will make life easier for them. As we all hate to exchange information by hand photocopy and more, we are living in this digital world anyway, and this part exchange of personal information between different legal entities, different companies is still quite immature. So here also for Omar, you have consent and you have to have some consent management taking place. Then the one that is maybe less obvious is O T TDR itself has an impact on, on IOT. And, and we have the thought of that.
Well, think twice, these devices contain a process and process personal data, and they are getting smarting in letting you use the outcome or using the outcome for all kind of decision making, even marketing to lower down the temperature of your house when you're not at home till detecting. If, if it's time to offer you a more suitable subscription on, on something. However, most IOT devices are just not smart enough to communicate difficult consent with the consumer itself. And for GDPR, you have to follow the right steps. No presumed consent for instance, is allowed. This will mean that consent management needs to be outside the device or the device needs to be much smarter. And if outside the device, you have to stay in a kind of trust circle or triangle between the consumer, the device and whatever keeps track of the consent.
So looking at consent and privacy regulation, it's pretty clear. Some things are really must have. If you don't comply, you risk a fine, a substantial fine. Most of these are already mentioned in the presentation of, of Martin. So on an attribute basis per purpose, easily to be to withdraw has to be freely given and specifically looking at the us needs to be opt in, not what I stand, use opt out, but there's also consent functionality that would give the user a better feeling around transparency around privacy and data. And these are more in the nice to have. So mention here, overview of all your consents that you gave possibility to withdraw them at the same place. And a consumer would like to see when the consent is really being used. So in order trail on it, but these are more like nice to have as they are not really regulated. Now that we have seen that consent is getting everywhere. Where should we put consent and consent lifecycle management? Well, our suggestion is as close to, as you can get to the consumer and still protect everything in the proper way, the best way would be to add it to the, my profile base of the consumer itself, because that's where all the personal identify information is extended with consent information, consent controls, preferably in order trail, they can read and understand that system will then be the authoritative source in a way for PI and for consents.
It's important to know that whatever you do with GDPR and or PSD two, and you have to do from a company perspective, the consumer will from 2018 almost be in control if they like it or not. If companies like it or not just be prepared, this is a big change
With all these consents. Are we not getting into the same problems that we had with IM access rights? You're never really fully in control, maybe not as we start pretty Greenfield. Now you have the opportunity to manage the life cycle from the start in a proper way, manage the life cycle of consent, ranging from extending the scope of use to multi value and withdraws let's call that lifecycle management or consent lifecycle management, because that's basically what you are doing around consent or what you should be doing around consent. Now let's go a little bit deeper in how we at ICOM build, build in consent for the GDPR use case, but also for the other examples, in a way multilevel consent per attribute, we created a flexible identity store and attach consent information, right to the source. So you can't lose it. You will keep track of it.
And it's always available for the consumer to view and for the company to use. So how does that look like? So how does the data model looked like? Basically what you see here is there's typically old fashioned golden record where you have things like first name, last name, date of birth could also be access to certain services or products, identification, numbers, and, and, and you name it size of your shoes. So it can be as, as much as can think it's information around the consumer itself, it's profile information, what we had done. And I made in blue, all the consent related things, we add a load of metadata to every attribute. So just a small box that you see here, but it could be a little bit over a hundred items. So on every attribute you have a whole set of metadata talking about expiration date, data classification, when it was last changed, who changed it.
But in this case, in the blue area, where that, that consent, where did the information came from, was consent given together from there was the, the purpose approved. When did you consent it? And specifically when there's also parental control in place, because the child is less than 16, if it is in, in place here and who are the parents that control the consent, if you connect all these metadata to the identity, record, this golden record, then everything is at one place. And if you have everything at one place, you're creating all that context around that data. And you can also enable it through APIs. So you can have policy driven, data management or consent management, or any other APIs directly interfacing with the, the consumer's profile information. And this makes it very strong because everything will be in control and things that are not allowed should not be able to just write things in the, in the golden records.
It will always go through the APIs and it will always be policy based. And then to give access to the consumer, you won't have a UI UX to give that access. So a consumer can log into its profile based and see all this kind of information. You can visualize things like if things came from Facebook, if consent was given, if there's a data retention on it, you name it. And then on the right side, your applications. And of course also our applications in our identity as a service service use this, these APIs in the same way, it's all open. Then how does that look? This is the, my profile base in the bottom side of the privacy base, you will find consents that were given the purpose of it when you accepted it and will give you the possibility to change the consent, even to withdraw the consent. And as you can see, it's on an attribute level base.
And then now we are looking a little bit more deeper into the future. So this is really just an example of timeline. So looking forward to both and IOT things, one we'll see, and this is future look into our product that a timeline can create transparency on where your data is being used. It shows when you approved post or withdraw consent and it'll allow you to immediately intervene if wrong things happen in PSD. Two, one could keep track of what TPPs at that moment with what purpose requesting your classic bank for details on your savings account. So you really have track on what, what is going on it'll show for Uma, what hat hundred is requesting information from the university you went to of course, with your consent, but that was two years ago. So maybe we draw that consent, or you should have made the consent with a, a shorter timeline.
Would you trust a company that is so transparent on the use of your personal data? Question yourself. If you are a company that offers this kind of transparency, would you, if you are the consumer also feel this is more trustworthy because trust is really the key word here. If they trust you, then they're gonna allow to do more service. They're gonna share more of the information with you. You will know more around your customer and for the, for the, for the customer or the consumer in this case, they are back in control and hopefully they will like it. At least I would, but that's the thing that that will be upcoming. And tha thank you very much for listening to this presentation. And because I only got 20 minutes consent from Martin, I pass it back.
Okay. Thank you. Carne. I think you not even fully used sort of what I gave to you. Give me a second to switch over the moderator. Yes. Yeah.
You still have 20 minutes left, so, okay.
So we still have a couple of minutes left and so it's time for the Q and a session right now. We already have a couple of questions here and I'm very open to receive more of these questions. So let's start with this one. So we talked a lot about purpose and what is purpose related to, so it's just saying the entire business, or are more generic things like I use it for marketing purposes or I resell it, or I use it to, to, to manage your user experience or so what is the level of granularity we have to look at purpose. K, could you answer that?
Yeah, it's, it's a good question. And we get it a lot, the thing with purposes, and certainly in the past, they were like the ones, the examples you just mentioned, they were quite vague. So a company could do a lot with it, but that's not well informed. So it's not, it does not fulfill the requirements from the GDPR. So you have to be more precise. What is really the purpose? What's really the processing you will be doing with that data. And if it is for marketing purposes, you should say like, it is for sending you a monthly newsletter. If it's forgiving a better user experiences would say that because of online profile and you will give products that are more in line of their interest. So you have to be a little bit more precise, but yeah, going in very detailed, that will be a little bit too far, but better.
And, and clearly as always with new regulations, there are some gray area.
Exactly. Yeah. We'll find out where that, where that gray area is.
But I think it's very clear that the area is not too big, that gray area. So it will change the way we have to deal this. So this is definitely one of the areas you have to change. Another question in here is, so if you already have data way labeled from your customers. And so I think there are two scenarios to one is clearly you have data collected and you want to another purpose, then you need to consent for it. But what happens with the data you have before had collected before the GDPR becomes effective?
Yeah. You, you can't fully use that data. So the, you can use the data within the context of what was around that contract or the type of business that you've done with, with that consumer. But if there's anything that he could not think of himself, or that was not clear anymore, you have to go through the consent flows again, or you have to go through consent flows. So in a way it's not freely, like if I collected before the GDPR is in, in full force, by the way, it's already in full force now, but it's not enforced. It means you can't just use that for anything. That's not, that's not allowed.
Okay. There are so many questions coming in. Maybe that one fits well to the, to the one thing you, you said is, is there a need to actively trigger the consumers for obtaining the consent?
So, yeah.
Yeah, it is. I would say very simple. Yes, you have to ensure the next time they come back or if they don't come back, you have to inform and say, okay, I want to add that purpose and I need to consent. So there, there are a couple of, I would say a number of things which, which really are around. I think another interesting question I have is here. It appears, so consent is changing from a static to dynamic concept. So how can a company manage numerous consent request programs and through the right consent request, consent is request at the right time and the right context. Yeah. I think this is a very interesting question. So if, particularly, if you have different purposes, different divisions, different different products and services that can become rather complex.
Yeah. And, and it's a given that you will have it certainly when you, when you look at the consumer, being our customer, being, being in your system for a couple of years, no doubt. There will be additional consents you want, you want to ask, and that could be on the same data. So it could be on, on the date birth for instance. So what we've done in our platform is a multi value consent flow. So we have multiple purposes on the same, the same attributes with specific consent with the date consent was given. And we can give that consent through like open ID connect or O out request towards the, the request and web application that you offer to the consumer. So it is at hand basically real time for immediate use by the application itself.
Yeah. I, I think that that's, that's one element. The other thing is I, I think it also goes to the organizational side of how do you deal with that? Well, I, I touched the organization a little and it's very clear. You can't go out and say, I trust let every part, every department do it itself. You need to have a standardized central infrastructure. You should think about what are my sort of enterprise level policies, what are things which are consistent across the entire enterprise? What are the things which are done, not at the enterprise level, but at a regional level or a divisional level. And what are the things which have to be done at the level of an application you need to implement the governance framework for, for that. So how could this framework work look like? Which levels do you have, which control supply, et cetera.
So it's, I, I've only seen it at one customer currently who really thought about it. So we advised them on that. But clearly this is one of the challenges in this context, you need to, to, to understand where is the data who is dealing with it, where is consent required, which other regulations apply? How do you do do it in a, in a consistent way so that you don't ask, for instance, a customer who's using couple of services multiple times for the same consent that also does make any sense. So I think there, there are a number of very interesting things and creating organization on that definitely is one of the, the, the interesting and, and, and important areas here.
Yeah. You, you touched a good point there. So if applica different applications or different departments have different applications to offer to consumers, if they keep track of consents, then the consumer will get multiple consents. But if there's a system in between that basically needs to get that consent, then that system has the overall view of the consents that were already given. So we'll not request the second consent on the same kind of purpose. Yeah. So it's, it's really centralizing this. Like we did with preference management in the past, basically consent management is just another thing. It's a little bit more complicated. It has more of a life cycle, but, and then you have the backend systems. You already mentioned it. You need to really dive into where PII information is, how to keep track of it. If all that information has a purpose on it, if it's from out of contact contract point of view, you can use it so that this is a big exercise on the compliance side too, to the GDPR.
Yeah. And at the end, it's about, I think for, for, for that per aspect and for the aspect of how can you get a complete view of your customer to also for instance, revoke access to, to that data at a certain point of time? I think a very important aspect is you need to have sort of a, a unified view on the consumer identity. So you need something to manage the consumer identity consistently centralized and to manage, to consent around it. Okay. Another question. So we have many questions here, assuming I use a third party data processor is constant transferable, or does it, that's the third party processor to acquire consent by himself as well here, it's important to differentiate. And currently you might add to this between three involved groups of entities might be organizations, might be persons. One is the data S that is the one whose data is collected. That's the one whose data is processed. It might be the customer. Then we have the data processor and we have the, sorry, the data controller. Exactly. The data controller is the one who has to care for the consent. The data processor might be then the one who acts on behalf of the data controller. Correct. I think that's basically the play here. Carney.
Yeah. Correct. And the data subject has to be asked consent by the data controller. And if he uses the processes for that, that's, that's fine, but that's how it's done. So the TPP has to keep track of their own consents and they can't pass consent to another company.
Exactly. Because you give the consent to your data controller to do something
That yeah. And that's the legal entity and it doesn't pass. You can't pass it over to somebody else.
Okay.
Because that would be a data controller and they have to ask the data subject themselves. So you can't just pass through.
Okay. Another question. I think it's one I, I just recently had in another location, but I think it's, it's an important one. So with the Brexit, the U UK still affected when they are not aneu member anymore. And what happens in between again, Corona, you might Azure.
Yeah. Well, Brexit is an interesting topic because you could think that UK doesn't have to comply to the GDPR in 2018, but I mean, it's all over the news. It will take them two years to really end the EU and, and really being loose from all the obligations that they have there. So still 2019, mid 2019, there will be, have to be GDPR compliant. And after that, they, they still need to do business with U consumers and have to have an alike system as the GDPR. So we expect them to have something that is quite similar to that, to make it easier to for their business too, to business with consumers.
And, and I think there are, there are two aspects. The one is what, what about a business with you? Resident data S there, GDPR always will apply regardless whether the UK is in or out for doing business with non UK non-EU residents, the UK will have more flexibility, but to be realistic. And, and if you look at, for instance at Singapore, Singapore also has a very strict data protection law, which is not that far away from, from the GDPR. I think there might be some tendency based on that, that, that we see some sort of standardization at a higher level, because for doing business in certain regions, you will have to comply to very strict laws. And if you can comply with this laws, why, why, why not they doing it sort of right. Everywhere clearly, it's, it's, that's also an interesting point. So if you're doing business in certain regions, you might also need to be flexible and to say, okay, this one, that's the, the rules which apply here.
Here, we have to inform about terms and conditions in a different way than there, which again means you need some sort of a layer approach where you say this is central. This is our baseline, what we do across the entire organization. And that region, we do this part differently. So maybe a little more lax on, on content and other regions, very strict on content. There might be different attributes, which are considered being very sensitive and you need to really create an organization and global, if you're a global organization, you have to have a global concept for dealing with privacy, with customer identity, with all the related stuff. Then also, I think goes back to another question which came in. So con central concept management or siloed one, how does a good approach look like? So I think I just gave Matthias or Connie. You might want to add here.
Yeah. The same answer basically. It's you can't go for a silo approach. It will hurt not only you, but also the consumer itself. So I wouldn't go for a siloed approach, but look for a central one.
Yeah. And not only look at it from a technical perspective, you have to understand who who's in charge of what and that. So think about the organizational aspect. Think about governance, create a consumer identity and sort of consumer data, consumer privacy governance approach define the controls and all that stuff. So we have still a couple of questions left, open. What I propose is we take one, one last question. If you have more questions, just enter them. And we might then respond to the questions, particularly ones we didn't answer, but maybe more depth on some of the questions we had here. We might respond to them in a, in a blog post. We will publish at our website and maybe I welcome website as well within the next couple of days. So the final question I'd like to take here is in what area of it also something we already discussed shortly, but not really in depth does constant management follow. So is it more, a CRM thing is it's an identity management thing. Is it master data management for all the various, whereas for, so, so for creating one combined view in the consumer, so what is the right way to look at it?
Yeah. How we look at it is that you have to be close to the consumer because of the, the GDPR. He has to change his information, withdraw it, transport it, et cetera. So the data has to be anywhere close to the consumer. If you put consent in, in one of the systems that are more in the back, like an MDM, then it's not that easy to open that up for a consumer to change it. So, but it's not undoable to put it there. I would say closer to the consumer and a cm solution or a like would be a good, good place to, to do it.
Yeah. And you should understand how this cm solution interfaces to your sort of enterprise or employee IM for all the systems to hold some of the data or which might be accessed directly or indirectly as well. So look at it also from a bigger picture, created bigger picture created strategy. So as I've said, we have a couple of questions left. We will cover these questions in the block post. Right now, we are close to the top of the hour. So I'd like to thank you very much to all the attendees of this webinar. Thank you very much Carney for your presentation. I hope it was very interesting to you. There will be more events and don't miss the European identity and cloud conference where GDPR also will play a very important role in the agenda. Thank you.
Stay Connected
Related Videos
How can we help you