Whitepaper

8 GDPR topics to be addressed with CIAM

 Introduction
The General Data Protection Regulation (GDPR) will be in full force 25 May 2018 for all organisations that
control and/or process personal data of EU citizens. With little time left on the clock, there is no time to
waste for organisations that process or control personal data.

For a large part, GDPR is about how organisations gather, store, protect and manage the lifecycle of
that data. And that is exactly where Consumer Identity & Access Management (CIAM) solutions fit in.

It is important to emphasise that not all requirements set by GDPR apply to CIAM. Think of important
elements as the appointment of a Digital Privacy Officer (DPO), employee awareness training and the
set-up of a Privacy policy.

Instead, at iWelcome we have identified eight important GDPR topics organisations must address with
IAM to be GDPR compliant:

1. When should consent be requested?

2. Transparency as the key for building trust
3. Strict regulation of automated individual decision-making
4. Sensitive personal data
5. Privacy by design & Data protection by design
6. Special rights for the individual like ‘right to be forgotten’
7. Data breach communication
8. Children’s privacy under GDPR

In this whitepaper, we’ll provide you with a comprehensive overview of these topics and hand you some
valuable tips & tricks for being GDPR compliant on consumer interaction.

2 | ©iWel c ome
 Topic 1: When should consent be requested?
Consent needs to be given by the individual/
consumer (data subject) for the processing
of personal data relating to him or her
(unless one of the exemptions of article 6
applies). That consent needs to be “freely
given, specific, informed and unambiguously”.
In other words: it must be crystal clear.
Organisations need to be clear on what they
are using an individual’s personal data for, the
individual needs to be well informed about
it and must make his or her decisions freely.
Pre-ticked boxes that need to be un-ticked are
also specifically forbidden in GDPR as this may
indicate a preferred choice. 

This rule impacts CIAM systems as storing the data is – by law – called “processing”. And as most
personal data will be stored in the users profile, a key section in a CIAM system, consent mechanisms
need to be present.

When should consent be requested?

First of all, consent should be requested when individuals are asked for input of (new) personal data
unless one of the exemptions applies (for instance the processing of data “for the performance of a
contract”, article 6). Asking for a delivery address for a book that the individual ordered in an online
bookstore is fine, but you can only use the information for that purpose and nothing else unless you
ask for consent (specifying information and reason) for that. Asking for a phone number in case there is
a problem sending the book is fine if you specifically mention that use and leave the choice up to the
customer. However, you are not allowed to use the phone number for anything else in the future, so it
is better to keep it only for a month (retention) and/or ask consent to store that information for further
order tracking as well. For sensitive personal data like biometric data or genetic data, you always have
to ask consent (unless one of the exemptions of article 9 applies). In the law this is referred to as “explicit
consent” meaning that you have to do an affirmative act which can be to check a box to confirm that
the data you have just entered will be used for the reason specified. In the case of the delivery address,
it was enough to mention at the address box that the address would only be used to send the book.
Without the need of a tick-box.

3 | ©iWel c ome
 Topic 2: Transparency as the key for building trust
Article 5 of GDPR sets out a number of principles that organisations, so-called “data controllers”, must
comply with when they process personal data of consumers (and others), so-called “data subjects”.
These principles form the core of the obligations to process the data “lawfully, fairly, and in a transparent
manner in relation to a data subject”. Transparency has two requirements with respect to personal data:

1. Organisations must provide extensive information to people about the data and how it is used
2. Individuals need to be granted easy control over it.

The key to building trust is transparancy

Looking at transparency in the context of GDPR, data controllers have to provide (and consumers are
entitled to receive) the following information:

›› Information that has been provided in a clear, concise, transparent, and easily accessible form, using
unambiguous and plain language;
›› Information concerning the intended purpose of processing the personal data, including the legal
basis and legitimate interests pursued by the data controller and any third parties involved;
›› Information concerning the way in which access rights to personal data is offered, how to have
any errors in the data corrected or have the data removed, and how to object to certain ways of
processing that data. An individual has the right to have any errors in the data corrected without
delay and has the right to have
information added to the data if it is
incomplete;
›› Information concerning any recipients
to whom the data will be disclosed;
›› The categories of data concerned and
the type of processing (automated or
not);
›› The right to withdraw their consent at
any moment and how to do this;
›› The retention of the data (how long it
will be kept).

4 | ©iWel c ome
 Topic 3: Strict regulation of automated individual decision-making
Article 22 of the GDPR targets one of the most powerful and promising tools for direct marketing:
profiling based solely on automated processing of personal data.
As a consumer, wouldn’t it be great if you’d only receive product offers that really fit you like a glove?
What if you only received offers based on data about your personal preferences and things like
income, lifestyle, and where you live? What if marketers automatically tailored their products to your
needs? According to the EU (and more specifically, the GDPR legislation), this is not going to happen
anymore, at least not without the explicit consent of consumers. The reason is that GDPR requires that
each person in the EU should have free choice in
their buying decisions instead of being presented
with automatically-selected options, based on
the data that businesses gather about personal
preferences and lifestyle.

The key word is ‘automated’

In the GDPR era, this automated handling and
processing of personal data will be virtually
impossible without the clear and explicit consent
from the people whose data is involved. A travel
website automatically offering a high-priced
vacation to certain visitors based on data that
shows they live in a high-class neighbourhood will
be a thing of the past. The same goes for offering
only a subset of products on a website because your age has been used to automate the selection
(and therefore choice) for you. Based on your profile, you cannot see or buy other products on the
website because they are simply not offered.

A clever strategy forward

If profiling and automated decision making are vital to your company’s (direct) marketing operation,
make sure that you ask for consent during the earliest stages of the relationship with your consumers,
ideally just after your company has made a positive impression. This may occur after buying a product or
receiving satisfactory online advice.

5 | ©iWel c ome
 Topic 4: Sensitive personal data
Personal data is perceived ‘sensitive’ when it reveals racial or ethnic origin, political opinions, trade union
membership and religious or philosophical beliefs data concerns health, sex life and sexual orientation.
Finally, genetic and biometric data can also be
sensitive personal data.

The new GDPR prohibits the processing of

sensitive personal data. The processing
(collecting, storing etc.) of these ‘sensitive
personal data’ is in most circumstances not
allowed. Although there is a list of exceptions
to this general rule, sensitive personal data
is almost always off limits for non-public
organisations in relation to marketing.

Explicit consent is required

If organisations want to use sensitive personal data for good purposes (e.g. a mobile application
providing health advice based on your fitness performances), they must go to great lengths to acquire
the explicit consent from a consumer for the processing of this data. Moreover, it should be requested
for a specifically mentioned purpose and should be limited to only those personal data strictly necessary
for this purpose. The “OK” by the consumer must be ‘freely given, specific, informed and unambiguous’
meaning that there is little room for creative editing.

Exceptions to the rule

Obviously, there are cases where processing sensitive personal data is essential. For instance, employers
may process such data when allowed by EU or national law or collective agreements. Another
exception to the general rule is when it involves people’s vital interests and he/she cannot give consent.
The new regulation also offers exceptions to not-for-profit organisations with a political, philosophical,
religious, or trade-union function.

6 | ©iWel c ome
 Topic 5: Privacy by design & Data protection by design
The protection of your customers’ data and privacy must be a top priority from the first whiteboard
session onwards, known as ‘Data protection by design’ (also referred to as ‘privacy by design’).

In short, this means that organisations are obliged to take into account data privacy from the functional
design stage onwards. Newly designed online services must be compliant with the principles of the
GDPR from scratch.

The ultimate aim of the ‘data protection by design’ rules in the GDPR is to ensure that, when developing
a product or service, appropriate technical and organisational measures are implemented to ensure
data protection in line with the GDPR. In other words: doors to personal data that are supposed to be
closed according to GDPR, should stay closed because the product or service via which it was gathered
was designed that way. This requires strict access control.

Measures to guarantee privacy by design & data protection by design

Make sure that everyone involved in the development of a product or service is fully aware of the
“privacy by design” requirement and technical and organisational measures are implemented to
increase privacy. An example of such measures is
the pseudonymisation and encryption of personal
data. Also, check your existing products and services to
see if changes are necessary.

And last but not least: data minimisation

An important requirement that is introduced with
this theme is ‘data minimisation’: only the personal
data necessary for the indicated purpose should be
processed and this principle should be embedded
in the design of the product or service. Using consent
given earlier for further processing is permitted, as long
as it is for ‘compatible’ reasons (e.g. used for the same
purpose as it had been originally collected for).

7 | ©iWel c ome
 Topic 6: Special rights for the individual like ‘right to be forgotten’
Article 17 of GDPR sets out a right to erasure as being ‘the right to obtain from the controller the erasure
of personal data concerning him or her without undue delay’.
The four most important grounds for erasure in GDPR are:

1. The data is no longer necessary for the purpose collected or processed;

2. The data subject withdraws consent and no legal grounds for processing remain;
3. The data subject objects to the processing and there are no legitimate grounds to continue;
4. The processing is unlawful.

Beside erasure, communication is required

In the GDPR era, clinging on to customers will be a thing of the past. Besides executing the erasure:
when a customer decides to exercise his or her right to be forgotten, companies need to provide insight
into the status of the request.

As an example, companies could communicate the following message: “Dear customer, we have
erased all of your personal information from our databases, other than the data (i.e. prior purchase
information) we are required to keep for a period of x years because of tax regulations.”

What organisations must do

As a company, GDPR obliges you to:

›› Know which personal data you have;

›› Know where it is located;
›› Know the legal grounds for keeping the data;
›› Know the purpose for using the data;
›› Know that the customer can ask for personal data
to be removed and the impact of such a request;
›› Know that there are certain legal grounds for
keeping information longer;
›› Communicate to the customer about the progress
of the erasure process.

8 | ©iWel c ome
 Topic 7: Data breach communication
Although some EU countries have in the past
introduced data breach legislations, as of 25th
May 2018 the GDPR rules concerning data
breaches shall come into force in all EU countries.
This topic is covered in-depth in articles 33
‘Notification of a personal data breach to the
supervisory authority’ and 34 ‘Communication of
a personal data breach to the data subject’ of
the GDPR.
Under the GDPR, organisations that process
personal data are subject to serious personal
data breach notification legislations.

Although some EU countries have in the past introduced data breach legislations, as of 25th May 2018
the GDPR rules concerning data breaches shall come into force in all EU countries. This topic is covered
in-depth in articles 33 ‘Notification of a personal data breach to the supervisory authority’ and 34
‘Communication of a personal data breach to the data subject’ of the GDPR.
Under the GDPR, organisations that process personal data are subject to serious personal data breach
notification legislations. Two types of organisations are distinguished:

›› Data controllers must report personal data breaches that are likely to result in a risk to the rights and
freedoms of natural persons, directly to supervisory authorities (within 72 hours) and to the individual
persons (without undue delay) involved in the breach;
›› Data processors need to report data breaches to the data controller.

What should organisations do to deal with data breaches?

In order to prevent and deal with data breaches (according to GDPR requirements), the following steps
are recommended to take;

›› Set up Access Policies and procedures;

›› Oversee that the right technical measures are taken to prevent data breaches;
›› Carefully select sub-processors to make sure they have adequate security measures in place
(including encryption or pseudonymisation, back-ups etc.);
›› Set up (or update) internal data breach notification procedures;
›› Make sure these procedures are tested and reviewed on a regular basis;
›› Make sure that sub-processors communicate their data breaches to your organisation on a
proactive and instant basis;
›› Set up and maintain an internal breach register.

9 | ©iWel c ome
 Topic 8: Children’s privacy under GDPR
The GDPR contains new rules and
regulations intended to improve the
protection of the personal data of children.
These are incorporated in article 8
“Conditions applicable to child’s consent in
relation to information society services”.
The rule of thumb for GDPR is that when
online services (in GDPR referred to as
information society services) are offered to
children under the age of 16 and consent
is required as the basis for the lawful
processing of the child’s data, consent must
be given or authorised by a person with parental responsibility for the child. In practice, this shall result in
an active opt-in decision by the parent on behalf of his or her child.
Unfortunately, GDPR does not state any clear requirements to authenticate the age of a child;
organisations must make ‘reasonable efforts’ to verify that the person providing the consent is indeed the
parental figure entitled to perform this action.

Tips & tricks for organisations

In order to prepare for the children’s data protection requirements set out by GDPR, the following steps are
recommended:

›› Analyse whether these new rules on children are likely to affect your organisation;
›› If your organisation offers services (or information) directly to children ensure you know if there are
additional national rules that apply to you;
›› For services offered directly to children, make sure these are accompanied with clear information that
can easily be understood by children;
›› Ensure you have some sort of system in place to check the age of the child;
›› Ensure that you have measures or systems in place to check that someone is indeed the parent of the
child that wishes to use your services;
›› Make sure you properly store the parental consent and make sure it is made available to parents
just as easy as the consent was given. You can think of a personal account page to be used by
your customers to see, edit and manage their personal data or the personal data of their children
supplemented by their parental consent.

10 | ©iWelc ome
 How the right CIAM solution helps organisations to be GDPR compliant
By selecting the right CIAM solution, organisations can internalise GDPR compliancy in their day-to-day
interactions with consumers. With all personal data collected and stored on one platform, organisations
can flexibly manage personal data (see overview below).

1. Consumers are offered one frictionless experience over all channels

With iWelcome’s easy registration, social login and Single Sign-On (SSO) capabilities, organisations can offer
their consumers one UI over all channels. All data is transferred and stored safely onto one platform (the ).
2. Consumers can view and edit their data settings and preferences
As required by GDPR, consumers can view, edit and delete their data, either via iWelcome’s white-labelled
portal solution or in the organisation’s own portal environment (via iWelcome’s RESTful APIs). Moreover,
consumers can easily download an extract of their data (in GDPR referred to as ‘data portability’).
3. Large efficiency gains for auditing
In many organisations, personal data is stored and managed in different applications or systems. This is
convenient for multiple stakeholders within an organisation (think of marketing & sales and customer care)
but especially for the compliancy officer who needs to audit on GDPR compliancy. With all data stored and
managed at one CIAM platform, organisations can achieve substantial gains with regard to efficiency and
labour costs.
4. No more consumer data complexity for (back-end) systems
One centralised CIAM platform takes away the complexity of managing different data systems for different
services, leading to a decrease in IT costs.

About iWelcome
iWelcome provides Identity as-a-Service
for frictionless privacy-protected consumer
services and security-enabled workforce
processes. iWelcome is the only European
born Identity Platform - headquartered
in Europe, backed by European investors
and specifically serving customers doing
business in Europe. Millions of consumers
11 | ©iWelc ome
and hundreds of thousands of employees
- across industries like banking, insurance,
utility, media 6 publishing, travel & services,
retail/e-tail and Governments & Non-
Profit – rely on iWelcome on a daily basis,
Analysts like Gartner and KuppingerCole
have recognized iWelcome as a worldwide
Product and Innovation Leader with
“Excellence” ratings. Building truly winning
partnerships with its customers, iWelcome
offers lowest Total Cost of Ownership
and a time-to-service in weeks. Applying
Best-of-Breed Private Cloud Technology,
customers benefit from both ends: using
a SaaS service while not having to share
critical resources.
+31 33 445 05 50 | info@iwelcome.com | www.iwelcome.com