Data Management, Privacy & Security Done Right

Due to the requirements in GDPR, IAM professionals can no longer accept to use production data in development and test environments, which has been a common practice for many years. The presentation will focus on the GDPR requirements regarding anonymization or pseudonymization of production data, and discuss why this is almost impossible to do in IAM projects. Testing IAM solutions and cleaning data is an integral part of the presentation.

Key takeaways:

What you are doing today is properly not GDPR compliant
You will understand the complexity in testing IAM solutions
You will understand some of the possible safeguards

Privacy has become a global concern, with regulations such as GDPR coming into effect. In this context, e-commerce businesses that operate globally cannot simply adopt data protection regulations of a single country/region. Supporting each and every regulation as they emerge is challenging and greatly increases the maintenance cost. Furthermore, these kinds of regular modifications can lead to poor customer experiences.
Leveraging well-known privacy by design principles into your system design strategy is a long-term and sustainable solution for most of these privacy challenges. Once these principles are adopted, it is possible to achieve each individual privacy regulation compliance easily with minimum time and effort. This talk introduces a number of well-known privacy by design principles and explores how they implemented in real world scenarios. This talk also highlights the benefits of each of these principles with potential implications.

In the context of a high-level system architecture, separating personal and security data from other business and operational data is one of the core principles. The responsibility of managing personal and security data can be delegated to a specific module or dedicated IAM solution, as other components request for personal data in an on-demand and transient manner - usually through standard security tokens such as OpenID Connect, SAML or JWT token.

Once personal and security data are isolated from other systems, it is possible apply set of security and privacy best practices. These include data minimization when capturing and storing data, data anonymization when storing, pseudonymization during strong, the use of a system-generated ID during data sharing, encryption before storing, and storing hashes instead of the original value.

Design and providing a user-centric experience are also key design principles. For example, all data processing activities have to be transparent for users and they need to be informed of these activities. Usually these activities require clear and active consent from users. Systems should facilitate to review and revoke previously given consent. Systems should also provide means to modify or remove user profiles by themselves. The adoption of strong and adaptive authentication mechanisms, use of up-to-date cryptographic algorithms, and libraries also help to improve end-to-end security of the system.

Key takeaways:

- Why you should invest and focus more on Privacy By Design (PbD) than individual privacy standards
- Assess the impact of each Privacy By Design (PbD) principle
- Learn proven industry level best practices to embody Privacy By Design (PbD) principles into your system design