KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
The new regulations of the EU GDPR apply not only to companies in the EU but every organization dealing with the personally identifiable information of EU citizens. This means most enterprises across the world will be impacted when compliance is required on May 25, 2018.
The new regulations of the EU GDPR apply not only to companies in the EU but every organization dealing with the personally identifiable information of EU citizens. This means most enterprises across the world will be impacted when compliance is required on May 25, 2018.
Good afternoon, ladies and gentlemen, welcome to our copy. A call webinar 3d as opportunity to build trusted relationships with consumers. The QDR clock is ticking May 25th, 2018. This webinar is supported by for truck. The speakers today are me Martin Ko, IM C founder and principle Analyst, a cold. And we have with us Dr.
Cast keen, who is a fellow Analyst at keeping a call and runs a law firm in the it law area. And if mother who is the vice president innovation at the merchant technology at, for before we start and dive into the topic, some housekeeping information, I'm general information about keeping a call and quick look at the agenda. So let's start with that. Co coal has been founded back in 2004. We are an independent Analyst organization, have people more or less across the world.
So we have people in the us and Australia, and we are headquartered in Germany and have couple of people in various, various European countries. We offer neutral advice and expertise in various areas. So we start in the identity access management space. We do a lot around information security around governance, first compliance, but in fact, all areas concerning the digital transformation, our business areas are research. So we provide various types of research include including our leadership compasses, which provide a comparison of vendors and their offerings in a certain market segment.
We do events. I'll talk about this in a minute and we do advisory. So we do don't do any implementation, but we do vendor decision making. We do roadmap advisory, maturity assessment and audit stuff. We do assess at events. We have two, in fact, four events upcoming. So the one is the European cloud conference to be held in may again, which is in Munich, which is the lead conference around identity and information security in Europe. And then we will do another one. The consumer identity world tour, which will run in three locations. One is Singapore.
One is Seattle and one is Paris starting in August. And then the finally went in November, 2017. So this is what we have bland as the larger conferences. Clearly we do us a lot of webinars and all the other stuff, some guidelines for the webinar today, you are muted centrally. So you don't have to mute around with yourself. You're controlling this. We will record a webinar and the recording will be available tomorrow. And there will be a Q and a session at the end, but you can end a questions at any time.
So there's a questions feature in the go to webinar control panel, which usually at the right side of his screen, where you can enter questions. The more questions we have, the more interesting the Q and a session will be that leads me then directly to the agenda. So in the first part, Carsin and me will talk about the impact of GDPR, why you should prepare now providing this particular Carsten, providing a brief insight and what data protection by design and accountability means under the new law and the requirements to demonstrate GDPR compliance.
Then the second part, if Mala will take over and she'll talk about the impact of GDPR and the five golden rules for marrying GDPR and customer identity to turn this sort of negative thing or regulation into a business success. And I strongly believe in, it'll be sort of a, sort of the red line. I strongly believe that there's a great opportunity in using this GDPR thing to change the way you're interfacing with your customer in a positive way. So this will be the main theme of today. As I've said afterwards, we'll do to Q and a.
And with that, a handover for that first slide to Carson, who will look at the overview and history of GDPR. So Carson, it's your term. Thank you very much. Martin goodie. Good afternoon, everyone. Yeah. Stated before. I want to give you some introduction and overview and history of the GDPR data protection in parts of Europe and California actually has been around since the seventies and eighties data protection didn't come up from one day to the other. It took a long while almost until the year 2000, when the pre successor, the preor of the GDPR, the EU directive came into place.
And even though back then the EU thought that a harmonization of data protection laws that had developed before, at least slightly in different places in the European union, even though they thought they would harmonize all of that, that was not sufficient. We had an E EU member state own data protection laws, and those, those were pretty different. This is why some of the European countries are supposed to have stricter laws than others, even though the EU directive is the one and only source of all of those laws.
This is one of the reasons the EU started to discuss a new umbrella agreement on data protection, which is the GDPR after several years of discussions, amongst the different bodies of the EU institution and a, a greater importance of data protection for the businesses for authorities being more watchful in the last years. Now we are in the phases in which we have 435 days to go. We are interfaces of the two year implementation period.
So the GDPR, as the new understanding, the common understanding of data protection throughout Europe has not come into force and, and will not have to be safeguarded until the 25th of May, 2018. Still we will have national laws. So each and every jurisdiction in Europe will add to the whole picture. There will be differences as we have difference today in the understanding of data protection, but those will be slight ones. The major understanding will be the very same. The authorities will therefore be in their decisions.
Very comparable companies will be very comparable, their activities and data protection should therefore also be the same throughout the whole EA at least we will hear about the scope of applicability in a second, even beyond the EU borders and the EA borders, there might be applicability for the GDPR, but for the EU members, definitely there will be an applicable the, the GDPR will be applicable. And the harmonization finally, at least it's supposed to be reached.
We will see whether there will be authorities on a national level, seeing things slightly different than neighbor countries or so also we will probably see a rising importance of the U data protection commissioner, who today is more a political figure. And then the future will give out a lot of guidelines together with what is today called the article 29 group. And the future will be the group of EU data protection officers having political powers to implement a red line in the understanding of the GDPR and like this founding a common understanding of the GDPR on the EU level.
So now Martin will introduce you to the scope of applicability. Yes, thank you, cars. And I think this is what, what really is major change of GDPR. So for EU businesses, GDPR is directly applicable to what we call data controls and data processors. So data controls are sort of the ones who are, who control, what happens with data who are grow us. The owners and processes are the ones who are processing data, but there's also an extra effect for non U data controllers and processors. If it's about offerings of goods or services to individuals.
So the data objects located in the U or the monitoring of their behavior, it, it's not limited to offerings that require a payment from the individual. So it's limited. It's not limited.
In fact, in fact, everything you do with what is called the data subtract. So the ones whose data is used, if he resides or is located in the EU, which is, which means, in fact, the GDPR is if you want to do business in the EU, not only paid business, but any type of business. So also where you include us pay with your personal data, then the GDPR applies. So I'd like to start with a high level overview of the F a few aspects around the impact of the U GDPR before or Carson them goes into detail. And so give you just some, some initial thoughts.
And then Carson will spend the next 10 to 15 minutes going into detail. So unless another legal basis is in place. So for instance, a contract terms and conditions, etcetera, content is required prior to processing personal data. So you need first content. And this content has to be freely given informed, and because, and it needs to consist of clear statements of affirmative actions simply said, having a notifi of your website, all this website uses cookies, and then yes, no, or okay, will not be sufficient anymore. So it's about clear statements.
It's about informed and all the other stuff here, and there's consent per purpose, which might also be revoked. So it's not that you give consent ones and say, okay, use my data and do what you want. But it's about informing about a purpose and giving consent per purpose. And the ability is to revoke for an individual purpose at a certain point of time, there will be the need for data protection officers, which can be external, but they are required in some countries. You already have them. Then it's simpler in other countries, you will lead them in some, under some certain circumstances.
You will also need to go through data protection, impact assessments. This is particular for instance, for a supervisory of public places, it's for highly sensitive data, certain areas.
So in, in some cases you will need to go to undergo a regular assessment beyond just having a DPO data breach notifications. Wasn't 72 hours. So for instance, Germany already something around breach notification, but the seventh two hours is something which is really tough because it means you need to be prepared if something happens and you're not prepared, you might fail in providing a good answer to the public within to the authorities within the seven to two hours, prepare for it.
There are massive data control rights, such as the right to be forgotten the right to freeze data processing the right to export data and edited, which is by the way, technically seen very, very interesting. So if you have the personal data distributed across 20 different databases, it'll make your life less difficult. So it's also about how do you manage the data? How does your data model look like? How can you really enforce this? And then there's the need for privacy by default and design become mandatory.
So after this high level of view, I hand back to cast who will right now go into detail of various of these points. Let me start with giving you some details on the requirements for obtaining a valid consent. Martin was already pointing out that a consent has to be freely given, and it has to be informed and so on. It's important that it's not only freely given it must be specific. So the purpose of whatever is supposed to be done with the personal information must be clearly defined. A consent may never be a valid implicit consent if it's not an informed consent.
So transparency and information of what the purpose is, what happens to the information. And what's the aim of using it, maybe even beyond the expectable purpose is important to inform about as otherwise. We will never be able to, to talk about an informed consent and, and non non inform or not sufficiently informed consent is in a legal sense, not a consent. The proof of consent is even more important than it is today under the ma major jurisdictions in Europe.
Because today we are working with sometimes opt out, we are working with up in or double optins, even depending of the member date we are in having an opt out, for example, makes it pretty difficult to have a proof of consent, understanding this, working with an opt out and the future will be difficult. A proof of consent can only be provided if there is an explicit consent. So opting out is not an option anymore. Otherwise there will be no proof of consent. And if there is no proof, there is no consent.
A lot of jurisdictions ask for written consent and certainly in the digital environment, this is not possible to exercise. However, everyone must be clear that it's not the default setting to have, have a dig digital consent. So the proof must be up to whatever you can bring up. It must be very clear in question of when the consent was given and which kind of information was provided provided before to the consent team. Also the customer or any other third party that gives you consent shall give consent explicitly for each processing operation.
Especially if you have various processing operations for different purposes, it's important to have different consent. If you have a newsletter that's worth a known consent. If you have a customer and using the information for another purpose than sending in a newsletter, you might want to have different consent.
Again, an informed consent with an explanation prior to gathering the consent, but don't get me wrong. The GDPR doesn't ask for a consent at all times, there might be a different legal basis. There might be for example, any legal provision. So any kind of law that explicitly states for a certain action for a certain purpose under certain circumstances, it is okay to use the information. Then you may work and go ahead without having gathered a content. Actually it's even the first thing we all should look upon. A consent is something you don't wanna work upon.
If you don't need to, if you find a law, if you find any regulations, especially in the GDPR or in any of your local jurisdictions or beyond, or in a contract with the customer, there is some justification for the working with personal information. Then don't even touch the consent. The consent may be withdrawed at all times without any reason. And like this may weaken your position as someone wanting to work with information. So I would always look for a justification in or contract, which much more much in many more cases than expected is the case.
So it's just a question of finding those in the GDPR. And this is nothing I could list up. It's always, depending on the case for the processing of customer data, the consent is required for the use of cookies. For example, we have the privacy directive upcoming, there was a new draft. We will see if the GDPR will remain the applicable law for this, or if the privacy directive eventually will take over for the cookie consent and bring up some new rules. But in general, wherever this requirement rise from, if you wanna set cookies, you need a consent.
And this is something you can do via terms and conditions or data protection rules placing on your website. And that in the future also will be the case. Next slide, please. We have the requirement to appoint a data protection. Officer. Many people believe that in countries, such as Germany, where the data protection officer is something that has been around for a very long time. Many people believe that in those countries, data protection is stricter.
I think it's being more discussed, but not necessarily stricter the laws as they all deriv, as having said in the beginning from the same EU laws, they're not that different, but certainly the data protection officer is a figure that brings up a lot of discussions around data protection as its its job. It's a neutral figure. It's an extended arm of the authority and it's someone that has to be and thrown and paid by the company if the local jurisdiction. And this is one of the exceptions, the GDPR doesn't explain for all cases, when this is necessary.
If the local jurisdiction has a data protection officers necessary, the obligation and requirements that are the same in all EU member states are the following. You need to have a data protection officer. If we control as a public authority, if, if it's a private authority or a public one, working with sensitive data at a large scale, whatever that means we don't know yet might be a large number of data sets might be a very sensitive level of information. Whatever it may be, what a large scale is. This is something we will have to learn and be told by the authorities until May, 2018.
Also DPO would have to be named if there is systematic monitoring, taking place may on customers may be on. Employees may be on vendors or whomever. Also as mentioned, a member state might may decide there is a duty. For example, if you have a certain number of employees in, in your company, we're waiting for the local laws yet to be published. They have been some leagues and discussions, but most of the local laws in, in the European countries are not yet up to speed. They have been heavily criticized maybe in Germany or other countries.
And we are expecting a pretty tremendous change of the wordings in comparison to the existing draft. So we don't know yet which member states states will require DPO for sure, but from the discussions around the GDPR, we can be sure that countries such as Austria or Germany or hungry, and some others will definitely ask for it. And from the discussion also, we will under, we understand that probably the UK will not ask for a DPO talking about the UK and the Brexit.
The UK is, has decided to move on with the GDPR. Certainly the Brexit will not take place before the 25th of May, 2018 as such. It will have to implement the GDPR anyhow. And in order to do trades with Europe, the rest of Europe or the remaining member states to say, there needs to be a GDPR, obviously, or at least it offers a lot of positive aspects. So that is a very clear decision. The UK will certainly adhere to the GDPR. There is a possibility to do a point DPO for a group of companies.
We had that possibility before, and it will be entering into the business reality more and more, I believe as in the past, it was something you had locally. For example, in Germany, in the future, many countries will need a DPO. And also there will have to be a representative if you're a us based company and aiming at the European market, there needs to be representative, and this could be the DPO at the same time. Next slide, please.
We have the data protection impact assessment that where mentioned that it actually is a UK commissioner's invention and the data protection impact assessment is something that actually asks for some larger procedure before implementing an it system in any company. This is something that wasn't addressed as, as explicitly, as in the GDPR, under the current regime of law of data protection laws. So in the future, that will have to go on a lot. It's not gonna be in the future.
Like, okay, listen, we implemented this tool yesterday. What, what will you need your data protection officer?
No, it's not gonna be that way because the DPO needs to sign that everything is fine. It needs to check on all the major ideas of the GDPR, such as privacy by design and others. So the D P I a is required of sensitive data is processed, or if a systematic surveillance or profiling takes place.
And again, what sensitive data, of course there's a definition, but sensitive data might be understood even in a wider sense, wider than the explicit definition, such as health information or religious information. And even if a company doesn't work with that, we see that according to the nature of the scope and the purpose of the processing operation, there also might be a duty to have a D P I carried out. Despite the fact you might not be working with sensitive data in the sense of the law set health data, for example.
So I understand, and I think I'm by far not the only one to understand it, that way, that DPIs need to be carried out with, with every procedure or system, a procedure might be a non-IT driven procedure, handing data on a, a different way than with a system. For example, with a video system, a local very simple local video system, it might not be very much computerized at times, all of those procedures and it systems should be subject to D P IAS in the future.
Be I would in doubt, always have that in place and installed because otherwise there is always a risk of the, the authority to ask for a seizure. Next slide. Okay.
Carson, you have to speed up a little. Yes. Thanks for reminding me.
Actually, this is just for showing that this is not easy. I don't wanna go through all this on slide 13, the DPI a at least to my understanding would at least be those eight steps.
So, you know, this is nothing that you would, that would do from one day to the next, the, the next slide shows that we have some other key points, which is the management of data breaches, the 72 hours that are in the GDPR as a timeline for informing the authority. It's important to understand notification to customers at the same time is required. So as Martin stated, you need to be prepared. And this is why I suggest to have DPIs in place, because only if you know, what kind of systems you have in place, you will be able to handle data breaches accordingly, right. To be forgotten.
And also other kind of data controls is something that is important to understand each customer or even non-customer has every individual on this earth may ask you, do we have information about me? And you will turn all nervous if you don't, because you believe there must be a reason for asking, but there must be, can be any third person or even a customer. And then you wonder if you have erased all the information that you should have erased, because you might have still information about this customer, which you might not be supposed to have, and then it's getting difficult.
So it's important in order to work with those right, to be forgotten rules, to have system systematic approach on right of erasure and in place. And I think this is the most important point because there won't be tons of people asking you, but one can be enough to kill your system because you're not, you, you're not able to give the answer requested, or your answers are against the law. What to do, not give the answers against the law, not to give appropriate ANSYS is against the law as well.
So this is something which is really important to understand for the organizational part of the whole GDPR issue. Then on slide five 15, we have an information on the technical organizational security measures. There has not changed a lot. There will be a little more documentation required, but this is something everyone that has been working with data protection so far already knows on slide 16, we have the key, the key buzzwords that are heard everywhere, data protection by design and data protection by default, basically that's new terms for things that have existed most all over Europe.
Data protection by design means that a tool must be set up in a way that it's compliant with the GDPR. So if a tool is not able to raise information, even though that's requested by the GDPR, of course, data protection by design standards are not lift up to, and that's for the, for the vendor of the software and in compliance. And certainly he might be held liable for this. Then data protection by default implies that only personal data, which is necessary for the given purpose shall be persisted. This is something we had before in most jurisdictions throughout Europe.
So you may not use the data that you have just because you have it. You may only use the data that you have and you know, the purpose is acceptable in front of the GDPR. I hand over back to Martin. Okay. Yeah.
Thank you, Carson. And you'll back in a minute. So I think an interesting question, how big is the real impact of EU GDPR for an organization? And I think you can look at various points. So if you already have strong privacy regulations, you have to comply with the steps to GDPR might be far easier for you. Do you have to deal with one purpose or with multiple ever changing purposes? So if it's one purpose, consent is simple. If it's multiple purposes, consent is more difficult. If you want to add purposes over time, then you have to look at this product, something feel, touch and detail.
You have to look very much about what is your, your, your, what is the customer experience of that? What does it mean for the customer? How do you sort of include or sell the new purpose to the customer without a customer saying, okay, then I better remove all my consent. Do you have a DPO in place or not? If you have, it's easier, there might be some country specific exemptions touched it already. It'll be interesting to see which exemptions pop up.
And it'll be also interesting to see which one of them will reserve will survive to first lawsuits, because there might be some countries who, who will try to weaken the GDPR, but it's very likely that the European court of trust systems says, okay, no, that's not the way you can do it will be interesting over the first time, but clearly things will go up. And another point is very important. Are you technically really able to support things, requirements such as right, to be forgotten or for purpose? What is the data model I touch before? This can be extremely challenging.
Carstens trust that you have to ensure that you can lead all the PII of someone. If you request it, can you technically do it? That's the data model allows it, allow it really challenging area. So security by design in place, etcetera. Some interesting question. So the impact might be bigger. It might be lower, but some of these areas, so if you have to change your data model, then it's really lay very latest time to start. So customer quickly click quickly will touch. What happens if you don't comply with, Well, this is kind of the marketing part for the GDPR.
And I hate to always come back to it because it's something very evident. It's about money. And this is why this, all of this is been so broadly discussed. We find some sanctions that are way beyond of what we have today.
Today, most of the European countries, we don't have more than 300,000 euros per each breach. And also we have understaffed data protection authorities in the future. A lot of the authorities will be able to keep some of the money they have, they're gathering through their fines, and that's a completely different situation to today when they receive just some of the budget from wherever and they have to really work with it. They are kind of bound to their own success in the future. And that makes it more attractive to, to raise defines as it is possible in front of the GDPR.
So we have, as a maximum, of course, the 4% of the annual worldwide turnover of a group or 20 million of Euro, whichever is greater. And the, the European commission was asked for if they really meant this. And they said, yes, we do mean it. And if a group or companies will be extinct, extinct due to this rule, this is what we mean to have, because this needs to be safeguarded much more than before. And people need to finally take it serious. The fine will be imposed.
If any of the processing principles that I was mentioning is infringed, of course not to the maximum fine that I was mentioned, but certainly there will be a catalog or so not in the law about in practice. If you have international data transfer first without a legal basis, that is something that might defined the data subjects, right. To be violated, to have violated is not a good idea.
So having mentioned that anyone may ask you for an answer that's important to do and to do it in time, because both aspects may lead to a fine, the infringement of the obligations as a data control and data processor, meaning the technical organizational measures, having those updated and documented, and at hand, if someone asks for it, that's the title to do so that's, again, something that might lead to a fine last example we have, which is evident any other in compliance, which results on a, on a risk for the right zone of the data subject, which, which, which covers data protection issues.
Okay, perfect. Carson. So with that, we hand over to E for the second part, if I will make you a moderator right now, and it's your turn, Thank you so much for this opportunity to speak with everybody.
I, I think you guys have said some really important things about how the general data protection regulation is actually changing the conversation for everybody. You know, so I represent for drop, which is a commercial open source, comprehensive identity platform that strategically takes care of identities for external populations, for organizations. So whether it's customers, consumers, patients, citizens, and, you know, we are, we organizations are not the bosses of those people.
And so the funny thing is about a month and a half ago, we, we, the world celebrated data, privacy day, data protection day, the January 28th. And one of the questions I always ask as that day rolls around, we've been sort of celebrating that day for, for some years now, did anything get materially better since the previous year? Because change is a constant, you know, we've got digital innovation working after everyone's trying to get customer insights, they're trying to comply better.
You know, we're looking for better trust relationships. And, you know, oftentimes we just don't see anything change in the world of privacy. And I don't see that anything is really changed yet, but here's this regulation GDPR that's actually strangely forcing the conversation in a, in a positive direction. So general data protection regulation is not just about data protection. We see elements of data, portability, data transparency, data control for individuals, for data subjects. And that's actually kind of weirdly exciting.
So the first thing I wanna do is in, in introduce you to rule number one of five that I wanna present to everybody here, the first thing we need to do is actually identify intersections between the digital transformation opportunities that our organizations have and the user trust risks that we are faced with. And this is really kind of a, a problem of stakeholders and all the different stakeholders within our organizations.
So, you know, digital transformation is something that's been going on for a long time. And, and the challenges that every organization, even if you make outdoor clothing is, is really about digital it's, it's not just about atoms things made of atoms it's things made of bits.
Our, we panelists were just talking about skiing and snow snowboarding earlier. And of course now there's smart shirts and smart socks and smart soccer balls, and, you know, all kinds of smart devices to help us do sports.
So, you know, our supply chain partners, we're integrating with our organizations with APIs for, for a long time. Now our it organizations have been off paper long, long time ago, and many of our users have been expecting to engage digitally with us in really key ways.
And, you know, what are the privacy and the consent challenges in doing that to build lasting, trusted digital relationships with those individuals in whatever role they may be. All of the different stakeholders actually need to meet in the middle.
And, and that's, you know, it's, it's been a tough proposition till now. And the question is, how can we make that easier? So the risk perspective that I think we've, we've just had kind of an Eyeful and an earful of looks like this. And these are, these are some quotes from the preamble of GDPR consent should not be regarded as freely given if the data subject has no genuine or free choice, or is unable to refuse or withdraw consent with that detriment. So these are, you know, these are aspirational statements that have been turned operational by a lot of the rest of GDPR.
And it talks here about cases of where there's a clear imbalance between the data subject and the data controller. And this has been made real by the rest of GDPR. So that's the, the, the stakeholders in that that, you know, I have to do the care and feeding of this would be privacy leads, DPOs, big data leads, security leads. And then we have the business perspective where you see, you know, digital transformation leads in a lot of cases, external facing identity leads, customer experience leads who see personal data as an asset, which gets tricky in this environment.
Our customers wishes have value. And then in, in more aspirational settings and really innovative settings, you see our customers have our, their own reasons to share and not share and mash up data, which will now that looks like innovative flows that, that we can add to our products. And I'll show you some examples in a moment. So with all these consumers, customers, citizens, and patients, you've got to blend these and somehow meet in the middle. So I'll share with you some ways that it's, it's now becoming possible to do that.
So diving into these, these challenges of meeting in the middle, you've got end users who are let's face it increasing increasingly mistrustful, but still demanding in so many other ways. So famously we're now in the post Snowden era and day by day, it gets worse. We have new WikiLeaks dumps where we learn more and more about how bad things are smart TVs, spying on us, which we thought would put you in a crazy house, which leads to things that, you know, few years ago wouldn't have happened.
But now do like, you know, day one, December 14th, pretty recently we have Evernote saying, oh, guess what? Evernote's ever know. It's privacy policy. Let those employees do this day two, December 15th. Guess what? There's a walk back. Now. It wasn't a complete walk back, but there was an outcry. And why you see that is because people expect ex immediate response. And so many of these services are fairly commoditized. They have fairly low switching costs.
You can go to other services that are willing to pick up a slack where Evernote is not responsive, but at the same time, everybody is expecting an omnichannel experience. And they expect these services to just live up to their highest demands in terms of doing a lot of things with a lot of data shared behind the scenes.
So yes, customers and consumers want it all. They want it now. They want it free and they want it private. So this is a big challenge for businesses to solve.
Now, behind the scenes, any one organization have to solve other challenges, technologically, they need to achieve what I'm calling escape velocity here with their innovation strategy, with technologies that are new on the scene that give us big trust questions around what it's doing. So with APIs, with new technologies, like containerization with microservices, which give us questions about how identity and security and privacy context are being exchanged between microservices.
This is, these are questions that are unanswered and with the internet of things where you've got constrained interfaces, which bring up questions by the way about how you do consent. It's not always the case that there's a smart mobile app to let you pick up the slack for that constrained interface. How do you consent? How do you withdraw consent? How do you manage what you consented to when you've got, you know, some sort of weird beacon on a wall, it's not always obvious how you trust that relationship. So those are challenging.
And then we've got blockchain and blockchain is such a huge topic. And when it comes to blockchain, actually, there's a lot of people working on, for example, blockchain identity solutions, which are trying to positively affect a trust equation for people, for individuals unclear how those are actually coming out, by the way, blockchain is so omnipresent in the conversations. I actually invented a drinking game, which is simply that when somebody mentions blockchain, you drink and depending where you are on the world right now, it may be appropriate for a martini or not.
So do, as you see fit right now, and of course you have to do all this on a budget. If you're trying to, you know, take care of your innovation strategy with all these new technologies and figure out how it works. And then finally that risk context more specifically, okay, if you're a risk lead, if you're, if you just have been appointed DPO, if you're a chief privacy officer, if you're a big data lead, you're facing dealing with the data lake and toxic data, you see APIs and internet things in cloud. And what you see is, oh my gosh, this is all Swiss cheese.
And it has a lot of holes and everything's leaking, and this is terrible. And the big strategy is, and I, I apologize to Carson and everybody else who's having to, you know, play this game.
It's, it's the game of keeping your chief financial officer out of jail. I suppose, it's, it's battling all those who are eager to, you know, provide the services.
It's it's, you know, it can feel opposed all the time. And there's not just GDPR. It's the payment services directive too, which by the way, goes into effect in January of 2018. For those in the us who are also subject to GDPR, it's also HIPAA and a whole bunch of other, you know, individual state regulations and there's, you know, many other jurisdictions. So it's constant and sometimes ratcheting up. It's also leaping ahead. So it it's constant.
So with that context, I wanna present to you rule number two, which is, is, you know, risk leads already know this, but other stakeholders who are on the business side of the equation, I wanna suggest that you need to take this on as a philosophy, which is conceive of personal data as a joint asset. It's not just the data subjects.
Well, GDPR really does conceive of personal data. As the data subject asset Carson has taught me this data controllers do have to take this on as an asset, but so privacy pros already do this, but business owners need to redesign your strategy for the school because it sets you up for success in every way.
It's not that this is just good for compliance, although it is protective of compliance because the regulations keep changing and growing, but this will allow you to gain more insight into user needs and into the relationships that they have with others that would've been dark to you otherwise. So it basically lets you embrace the, the philosophical outlook that lets you put into place the systems that allow for privacy by design data protection, by design and data protection by default, so that you're not looking to scans at them that you embrace them.
So with that, I want to share with you technical ways in which you can achieve this goal because you need tools that are actually up to the task and have a cohesive approach. So I wanna share with you just a holistic high level view of the for drop identity platform, you know, how can for drop help. So the first thing you really need to do is to have a clarification and unification of identity data for basic protection. And so you can see this as a single view of the individual, the consumer, whatever that role is.
And so the basic features that we offer in this respect, this the core would be life cycle management of user profile of, of each user profile and their data sharing preferences, secure storage of that data, anonymized synchronization of that profile data and a connector based approach for integration with any of the third party systems you need and then features for attending to data residency, and then fractional replications. So that the data doesn't have to reside everywhere in every data center in the world.
So that's the core, a rapper around that core is the ability to give the consumer a single view of their consents. And so some detail on this is the ability to capture what terms of service and what privacy policies each individual has consented to at both registration times. So when you've onboarded a person and potentially each time they might have interacted with a system.
So every authentication time, potentially every sort of authorization time where they've authenticated in maybe a step up flow and I'm pointing out social and federated login sign in time here and social registration time where you've got like, you know, login with these various social identity providers because there's, there's an underappreciated. I think part of GDPR where it kind of goes unremarked, at least that I've seen data quality and data accuracy are two things that GDPR talks about.
And I've noticed that federated identity patterns and API fed sources of data are essentially distributed single sources of truth. So in other words, you're thinking of caching data that you've gotten from elsewhere instead of long term sourcing of data, and then just storing them yourself. And when you do that, you're basically ensuring that the data is better quality because you got it from elsewhere from a source of truth. And you're ensuring that data is higher quality and better and more accurate. And so federated data, federated identity data is more accurate in higher quality.
And I just haven't seen that remarked upon. And then finally, an outer room of that core is giving the consumer control over their consents. And to that end features that this platform have include standardized interoperable, user driven, proactive, and reactive sharing flows. And I'll show you more about that in just a moment. What we're saying is it's not just data protection, it's not just data transparency, it's data control. So I wanna share with you rule number three, data is not pure secrecy. We're talking about mediated flows of digital data here.
Privacy cannot just be an encryption tool. First of all, encryption can be broken and we have to have layers of technology and, and policy privacy is context control, choice, and respect. And what we mean by that is you've got to have a holistic approach to how you treat all of your, the individuals with which you interact. It really is about a trusted digital relationship.
In fact, if you look at who GDPR applies to, you're looking at not just employers of EU people, you're looking at even organizations around the world who have an interaction, a relationship with people residing in the EU. So what that means is it's where either end of a trust relationship is in the EU or both. So here's some examples of work we're doing right now around constraining and shaping personal data sharing episodes.
One is this is an IOT consumer and clinical health data sharing relationship where patients can selectively share data coming off of a smart scale with doctors and other caregivers. This looks a little bit like Google apps. And so the patient view might be all of the data that's coming off of the scale in a streaming fashion. The doctor view is only some of the data based on a sharing of only some of the data in an interface that might look like this.
This is a real life example that we're working on now, a proactive kind of flow in this case, a second, maybe similar example that we're working on with a New Zealand government where an, an elderly person, maybe in a vulnerable population wants to share with her adult son, the ability to refill prescriptions and possibly get alerts off of a smart blood glucose monitor. If her blood sugar gets too low, I'll make some larger text here, the, the data coming off of that smart device. So these are real examples that we're working on currently in a POC.
And of course this data might be shareable with many others, could be sharable for different purposes, for example, in clinical research or public health purposes. So again, those would require different consents for different purposes in a GDPR context. And then here's a banking example where you might wanna share data.
Of course, with, with open banking, the open banking project in the UK could be relevant where in this case, you're sharing bank customers, account data and transactions with an accountant for purposes in open banking, you might wanna share this data for shopping around purposes to get a better deal. So a key consent technology consent tech, we call it behind. This is user managed access, which is a standard Uma.
I won't spend much time on the, the architecture here, but you can think of it as federated authorization pairing with federated identity rule four, following onto the last is lean in to consent. When you aren't bound by some other regulatory reason, as Carson was explaining to give access or disclose data, don't be afraid to defer control to your users.
I mean, you can't be afraid regulatory, and we're starting to have, if not a bright line, because of all the reasons why Carsten couldn't list those reasons. In fact, it's important for your digital trust relationship to be clear about why not to ask for consent, because it would destroy a trust relationship to ask for consent and then have somebody turn you down and say, no, I do not consent and then have to disclose data anyway.
So that's a reason to be sure about your legal reasons not to ask for it, but this is the reason why you should have an ability to have consent life cycle management, to make it as easy to withdraw consent as to give it and deferring control to your users means really enabling micro consent for your users because that's what GDPR actually demands not to put too fine, a point on it. So the way to interpret those, the core and those layers is the single view of the consumer is really more about your protection than theirs. You get a C plus for trust.
Your grade is a C plus for the trust relationships you build. If you can do that, if you can give your consumers a single view of their consents, we'll give you a B minus for trust. Transparency is a really good start, but giving the consumer control over their consents will actually give you an a plus for trust. Because at that point, the trusted digital relationship is effectively bilateral. You're authenticating them. You're authorizing them, you've gotten a 360 degree view of them. You need to give them a 360 degree view of what you're doing with their data.
Once you've done that, you've established bilaterally, what it is you mean to them and, and what they mean to you. So rule five has simply trusted digital relationships with your users are yours to lose. Thank you very much for your presentation and the insight. And also the, the consequence is the technical background. So I'll make we presenter again, and then we directly can move to the Q and a session. So latest time right now to enter your questions so that we can answer the questions. We already have a couple of questions here. I think the first question, which is a very interesting one.
What about email management, where you can receive email signatures that do contain personal data? How do, how to handle that? So do you have to protect the email database or systems or servers? How do you deal with, with things like, so where sort of in the sort of more indirectly provided, delivered personal data around that? Any idea on that, or maybe if The only thing I'd comment on that is it's that it's supremely unsatisfying the way you withdraw consent when it comes to email like email footers and links.
However, if, if consent was given by email, maybe that's the only way that you can withdraw it as well. And, and I, maybe Carson has some thoughts about withdrawing consent through those unsubscribed links, but, you know, it's, I, I don't find it to be similar enough to the way you gave consent in those cases. And that's why, you know, the user managed access approach is to actually have a kind of central dashboard where you can, or a control console where you can see all these things and manage them centrally because it's a much more convenient way of doing things.
So that's my thought on that. And I I'd love to hear his thoughts sort of regulatory as well.
I, I really agree with You. It's really the, the perfect way to organize yourself if you have such dashboard, but lots of us wouldn't have that. So it's a question of what's the rules.
Anyhow, if you, if you're not organized that way, actually I would differentiate between emails, general emails that we all have. Many of us have too many of those in a too short period of time. So you just have an account with so many emails and then you have those customer emails that you are sending out. And then maybe you have emails you receive from your customers by making it so complicated only by suggesting to differentiate and obviously have different solutions for that. Not technically technical solutions, but you know, solutions in question of time.
How, how long should you have those emails? How soon should you raise them? And you understand how, how difficult the legal situation is because all of those different setups are, have to be treated different. So general emails that you're sending back and forth within your own company, we'll probably have different rules when it comes to data erasure times than other emails, the unsubscribe button is completely different history. And to have such button in place is sufficient in order to meet the law, if you react on it.
And if you accept if someone unsubscribes and if you, if you're following that, that desire. So the, the main focus must be on understanding what kind of content is transported in that, in those emails, from whom it goes to whom is it leaving your company or are you receiving it? And then you have several things that I would consider as homework, which is data, data retention times, which is the question on how are they secured while they're on their, on their way.
And certainly do you have all legal disclaimers that you're supposed to have in there at maybe as a fourth question, the, the unsubscribed button. So for example, if you receive a bill via email, you're supposed to keep that in most European countries, I think in almost all for 10 years in, maybe some countries will be seven. Still. There is a rule to it for some other emails that have nothing to do with the bill or any other formal procedure.
And they, they're not part of a customer client relationship. You might not have any reason to keep that information in your email system. And you're supposed to erase that email right away. So that is really complicated. And you will have to find a compromise or there must be a scanning of the emails according to certain keywords. But that again is difficult when it comes to data protection. So I'm afraid this is one of the areas where we are, where we are not there yet. There is certain rules to it as Arasor, as, as transmitting in a secure way, but we do not have practical answers yet.
And I wouldn't know too many companies who went all the way in being compliant in this field. So if, if you're not done there, it's, you're probably in good company. And I expect some other years, some more years to go before we, as a business environment will adhere to the rules of the GDPR. So actually my good guess would be that either you have the technical solution or you have nice policies that are close to what you're supposed to do, or you, or this will be maybe one of the cases we can read in the newspaper as, as reviewed by an authority. Okay.
I think we have, we are already at the top of the hour, but we have many questions here. I propose we pick one or two, which we asked RA answer rather quickly. And then all the other questions I propose we circle around and then provide a blog post with the answers or where appropriate, direct answers to the people who ask these questions. So the one I I'd like to pick, which I find very interesting is, so if you look at the right to be forgotten, sometimes it's not possible to do it.
For instance, there might be situations around clinically trials where you can't forget that data so can consent or can contractual rules override the rights to be forgotten custom, Excuse me. I did not understand the last part of the question. Could you repeat, So, so can, can, can contractual can consent override a right to be forgotten or can contractual agreements override the right to be forgotten? Contractual agreements can override that, that right. That customer, right? It must be very clear.
It must be something that's understandable and revocable as, as a consent, but in general, a contract may certainly override that. Yes. Okay. And then there's another question. Maybe if that one you might answer, how do you see north Marine companies are tiering to DPR regulations? Do you think it will take a fine before they start incorporating the regulations into the privacy and security policies if they are affected and many will be Well? Yes. I think most really will be. I think that awareness is rather lower than in the EU.
I, I do think that there, there will be a lot of companies. Well, most companies really working hard to comply a fine, always does wake people up, but no, I think that there will be a rush to compliance perhaps on a shorter time scale than EU companies. But we were talking about Y2K earlier as we were preparing for this webinar. And I think it'll be rather Y2K.
Like, yeah, It's interesting. You know, I think you're, you're maybe a little bit too positive regarding the, the state of preparation into you. So from what I observe, many organizations are really not where they should be. So many organizations still have a long way to go. I've personally believe that it's it's really, it will be interesting. And I think the Y2K example is a good one probably will end up in a, basically very much the same situation. And maybe to also to learn more about GDPR. I just wanna hand back to our European identity cloud conference at the events.
I think both good places to really get more information about that with that. I think we are a couple of minutes after the top of the hour, we have a number of unanswered questions, which we will answer in a written form. So we will add this and circle it. So thank you very much today for listening to our copy Porwal and for truck webinar, I hope it was valuable to you. Hope to have you soon again at a webinars or at one of our events. Thank you very much. And thank you E and Carson for your excellent presentations. A pleasure. Thank you.
