Professional Documents
Culture Documents
For a large part, GDPR is about how organisations gather, store, protect and manage the lifecycle of
that data. And that is exactly where Consumer Identity & Access Management (CIAM) solutions fit in.
It is important to emphasise that not all requirements set by GDPR apply to CIAM. Think of important
elements as the appointment of a Digital Privacy Officer (DPO), employee awareness training and the
set-up of a Privacy policy.
Instead, at iWelcome we have identified eight important GDPR topics organisations must address with
IAM to be GDPR compliant:
In this whitepaper, we’ll provide you with a comprehensive overview of these topics and hand you some
valuable tips & tricks for being GDPR compliant on consumer interaction.
2 | ©iWel c ome
Topic 1: When should consent be requested?
Consent needs to be given by the individual/
consumer (data subject) for the processing
of personal data relating to him or her
(unless one of the exemptions of article 6
applies). That consent needs to be “freely
given, specific, informed and unambiguously”.
In other words: it must be crystal clear.
Organisations need to be clear on what they
are using an individual’s personal data for, the
individual needs to be well informed about
it and must make his or her decisions freely.
Pre-ticked boxes that need to be un-ticked are
also specifically forbidden in GDPR as this may
indicate a preferred choice.
This rule impacts CIAM systems as storing the data is – by law – called “processing”. And as most
personal data will be stored in the users profile, a key section in a CIAM system, consent mechanisms
need to be present.
3 | ©iWel c ome
Topic 2: Transparency as the key for building trust
Article 5 of GDPR sets out a number of principles that organisations, so-called “data controllers”, must
comply with when they process personal data of consumers (and others), so-called “data subjects”.
These principles form the core of the obligations to process the data “lawfully, fairly, and in a transparent
manner in relation to a data subject”. Transparency has two requirements with respect to personal data:
1. Organisations must provide extensive information to people about the data and how it is used
2. Individuals need to be granted easy control over it.
›› Information that has been provided in a clear, concise, transparent, and easily accessible form, using
unambiguous and plain language;
›› Information concerning the intended purpose of processing the personal data, including the legal
basis and legitimate interests pursued by the data controller and any third parties involved;
›› Information concerning the way in which access rights to personal data is offered, how to have
any errors in the data corrected or have the data removed, and how to object to certain ways of
processing that data. An individual has the right to have any errors in the data corrected without
delay and has the right to have
information added to the data if it is
incomplete;
›› Information concerning any recipients
to whom the data will be disclosed;
›› The categories of data concerned and
the type of processing (automated or
not);
›› The right to withdraw their consent at
any moment and how to do this;
›› The retention of the data (how long it
will be kept).
4 | ©iWel c ome
Topic 3: Strict regulation of automated individual decision-making
Article 22 of the GDPR targets one of the most powerful and promising tools for direct marketing:
profiling based solely on automated processing of personal data.
As a consumer, wouldn’t it be great if you’d only receive product offers that really fit you like a glove?
What if you only received offers based on data about your personal preferences and things like
income, lifestyle, and where you live? What if marketers automatically tailored their products to your
needs? According to the EU (and more specifically, the GDPR legislation), this is not going to happen
anymore, at least not without the explicit consent of consumers. The reason is that GDPR requires that
each person in the EU should have free choice in
their buying decisions instead of being presented
with automatically-selected options, based on
the data that businesses gather about personal
preferences and lifestyle.
5 | ©iWel c ome
Topic 4: Sensitive personal data
Personal data is perceived ‘sensitive’ when it reveals racial or ethnic origin, political opinions, trade union
membership and religious or philosophical beliefs data concerns health, sex life and sexual orientation.
Finally, genetic and biometric data can also be
sensitive personal data.
6 | ©iWel c ome
Topic 5: Privacy by design & Data protection by design
The protection of your customers’ data and privacy must be a top priority from the first whiteboard
session onwards, known as ‘Data protection by design’ (also referred to as ‘privacy by design’).
In short, this means that organisations are obliged to take into account data privacy from the functional
design stage onwards. Newly designed online services must be compliant with the principles of the
GDPR from scratch.
The ultimate aim of the ‘data protection by design’ rules in the GDPR is to ensure that, when developing
a product or service, appropriate technical and organisational measures are implemented to ensure
data protection in line with the GDPR. In other words: doors to personal data that are supposed to be
closed according to GDPR, should stay closed because the product or service via which it was gathered
was designed that way. This requires strict access control.
7 | ©iWel c ome
Topic 6: Special rights for the individual like ‘right to be forgotten’
Article 17 of GDPR sets out a right to erasure as being ‘the right to obtain from the controller the erasure
of personal data concerning him or her without undue delay’.
The four most important grounds for erasure in GDPR are:
As an example, companies could communicate the following message: “Dear customer, we have
erased all of your personal information from our databases, other than the data (i.e. prior purchase
information) we are required to keep for a period of x years because of tax regulations.”
8 | ©iWel c ome
Topic 7: Data breach communication
Although some EU countries have in the past
introduced data breach legislations, as of 25th
May 2018 the GDPR rules concerning data
breaches shall come into force in all EU countries.
This topic is covered in-depth in articles 33
‘Notification of a personal data breach to the
supervisory authority’ and 34 ‘Communication of
a personal data breach to the data subject’ of
the GDPR.
Under the GDPR, organisations that process
personal data are subject to serious personal
data breach notification legislations.
Although some EU countries have in the past introduced data breach legislations, as of 25th May 2018
the GDPR rules concerning data breaches shall come into force in all EU countries. This topic is covered
in-depth in articles 33 ‘Notification of a personal data breach to the supervisory authority’ and 34
‘Communication of a personal data breach to the data subject’ of the GDPR.
Under the GDPR, organisations that process personal data are subject to serious personal data breach
notification legislations. Two types of organisations are distinguished:
›› Data controllers must report personal data breaches that are likely to result in a risk to the rights and
freedoms of natural persons, directly to supervisory authorities (within 72 hours) and to the individual
persons (without undue delay) involved in the breach;
›› Data processors need to report data breaches to the data controller.
9 | ©iWel c ome
Topic 8: Children’s privacy under GDPR
The GDPR contains new rules and
regulations intended to improve the
protection of the personal data of children.
These are incorporated in article 8
“Conditions applicable to child’s consent in
relation to information society services”.
The rule of thumb for GDPR is that when
online services (in GDPR referred to as
information society services) are offered to
children under the age of 16 and consent
is required as the basis for the lawful
processing of the child’s data, consent must
be given or authorised by a person with parental responsibility for the child. In practice, this shall result in
an active opt-in decision by the parent on behalf of his or her child.
Unfortunately, GDPR does not state any clear requirements to authenticate the age of a child;
organisations must make ‘reasonable efforts’ to verify that the person providing the consent is indeed the
parental figure entitled to perform this action.
›› Analyse whether these new rules on children are likely to affect your organisation;
›› If your organisation offers services (or information) directly to children ensure you know if there are
additional national rules that apply to you;
›› For services offered directly to children, make sure these are accompanied with clear information that
can easily be understood by children;
›› Ensure you have some sort of system in place to check the age of the child;
›› Ensure that you have measures or systems in place to check that someone is indeed the parent of the
child that wishes to use your services;
›› Make sure you properly store the parental consent and make sure it is made available to parents
just as easy as the consent was given. You can think of a personal account page to be used by
your customers to see, edit and manage their personal data or the personal data of their children
supplemented by their parental consent.
10 | ©iWelc ome
How the right CIAM solution helps organisations to be GDPR compliant
By selecting the right CIAM solution, organisations can internalise GDPR compliancy in their day-to-day
interactions with consumers. With all personal data collected and stored on one platform, organisations
can flexibly manage personal data (see overview below).
About iWelcome
iWelcome provides Identity as-a-Service and hundreds of thousands of employees “Excellence” ratings. Building truly winning
for frictionless privacy-protected consumer - across industries like banking, insurance, partnerships with its customers, iWelcome
services and security-enabled workforce utility, media 6 publishing, travel & services, offers lowest Total Cost of Ownership
processes. iWelcome is the only European retail/e-tail and Governments & Non- and a time-to-service in weeks. Applying
born Identity Platform - headquartered Profit – rely on iWelcome on a daily basis, Best-of-Breed Private Cloud Technology,
in Europe, backed by European investors Analysts like Gartner and KuppingerCole customers benefit from both ends: using
and specifically serving customers doing have recognized iWelcome as a worldwide a SaaS service while not having to share
business in Europe. Millions of consumers Product and Innovation Leader with critical resources.
11 | ©iWelc ome
+31 33 445 05 50 | info@iwelcome.com | www.iwelcome.com