Weitere ähnliche Inhalte Ähnlich wie GDPR is coming in Hot. Top Burning Questions Answered to Help You Keep Your Cool. (20) Kürzlich hochgeladen (20) GDPR is coming in Hot. Top Burning Questions Answered to Help You Keep Your Cool.1. © 2017 ForgeRock. All rights reserved.
GDPR Is Coming In Hot: Top Burning Questions
Answered To Help You Keep Your Cool
Eve Maler @xmlgrrl
VP Innovation & Emerging Technology,
ForgeRock
Sean Doherty @SeanD0herty
Analyst, Workforce Productivity &
Compliance Channel, 451 Research
July 25, 2017
2. © 2017 ForgeRock. All rights reserved.
Eve Maler @xmlgrrl
VP Innovation & Emerging Technology,
ForgeRock
Sean Doherty @SeanD0herty
Analyst, Workforce Productivity &
Compliance Channel, 451 Research
3. 451 Research is an information
technology research & advisory company
Founded in 2000
300+ employees, including over 100 analysts
1,000+ clients: Technology & Service providers, corporate
advisory, finance, professional services, and IT decision makers
50,000+ senior IT professionals in our research community
Over 52 million data points each quarter
4,500+ reports published each year covering 2,000+
innovative technology & service providers
451 Research and its sister company Uptime Institute
comprise the two divisions of The 451 Group
Headquartered in New York City with offices in London,
Boston, San Francisco, Washington D.C., Mexico, Costa Rica, Brazil, Spain,
U.A.E., Russia, Taiwan, Singapore, and Malaysia
Research & Data
Advisory Services
Events
4. GDPR: when and where?
• Effective and enforced on May 25, 2018, replacing the 1998 Data Protection Directive (95/46/EC).
• The regulation requires member countries to follow and enforce the GDPR without passing local legislation.
• The regulation applies to:
1. The processing of personal data from the activities of an establishment of a controller or processor in the EU;
or
2. A controller or processor not established in the EU, where personal data collection and processing is related to
the offering of goods or services to data subjects in the EU or the processing monitors data subjects behavior
in the EU.
5. GDPR definitions
Personal data means any information relating to an identifiable natural person (data subject), i.e., one that can be
identified, directly or indirectly, from a name, identification number, location data, online identifier or other factors
specific to physical, genetic, economic, or social identity of the data subject. Art. 4(1).
Processing means any operation performed on personal data, such as collection, recording, organizing, and storing.
Art. 4(2).
A controller is a person or organization that determines the purposes and means of processing personal data. Art.
4(7).
A processor is a person or organization that processes personal data on behalf of a controller. Art. 4(8).
5
6. GDPR effect: not a butterfly but a bee
Violations of the GDPR can cost up to €20m in fines or up to 4% of a controller’s or processor’s previous year’s
worldwide revenue.
Requires data controllers and processors to hire a data protection officer for
regular and systematic monitoring of data subjects on a large scale.
Mandatory data breach notifications to data subjects within 72 hours of the breach.
Gives EU residents more control of their personal data
• Prohibit data processing beyond its specified purpose.
• The right to correct (rectify) and delete (erasure) or be forgotten.
• Withdraw consent to data processing.
Data subjects and nonprofit organizations on behalf of data subjects can bring actions directly against data
controllers and processors for GDPR violations.
6
© Teguh Mujiono
7. © 2017 ForgeRock. All rights reserved.
The EU General Data Protection
Regulation: It’s different this time
• Firm deadline, big penalties, high
aspirations…and viral
• “Data protection” encompasses a wide variety
of data transparency and data control
requirements
8. © 2017 ForgeRock. All rights reserved.
https://www.flickr.com/photos/adpowers/16808090/ | CC BY 2.0
Take steps
Identify intersections
between digital transformation
opportunities and user trust risks
Conceive of personal data as a joint
asset
Lean in to consent
Take advantage of identity and
access management for building
trust
9. © 2017 ForgeRock. All rights reserved.
We asked what you wanted to know –
and you let us have it
https://www.flickr.com/photos/infomastern/11459954985/ | CC BY-SA 2.0
10. © 2017 ForgeRock. All rights reserved.
My company interacts with end-users directly and holds
user account data. When sending such data from
Australia to, say, the US, what regulation applies:
Australia, US, EU...?
Q1
11. © 2017 ForgeRock. All rights reserved.
What is the relation of Privacy Shield to GDPR?
Q2
12. © 2017 ForgeRock. All rights reserved.
Does GDPR require that I store data
about my customers in the country it
was collected in?
How does it work in the ForgeRock
Identity Platform to store identity
profile data within a specific region?
Q3b
Q3a
13. © 2017 ForgeRock. All rights reserved.
The ForgeRock Identity Platform
DIRECTORY SERVICES
ACCESS MANAGEMENT IDENTITY MANAGEMENT IDENTITY GATEWAYCOMMON SERVICES
IDM IG
DS
AM
Authentication Authorization Provisioning Reconciliation Authentication OIDC/OAuth
Federation
Adaptive Risk
Stateless &
Stateful
UMA Provider Mobile App
User Self Service
Workflow
Engine
Registration
Single View of
Customer
Synchronization
Password
Management
Password
Replay
SAML
Token
Transformation
UMA
Protector
API Security Throttling
Common Scripting
Common
Audit/Logging
Common User
Interface
Common REST API
LDAPv3
Replication
REST/JSON
Access
Control
Schema
Management
Caching
Auditing
Monitoring
Groups
Password
Policy
AD Pass
Through
Reporting
CS
14. © 2017 ForgeRock. All rights reserved.
Data sovereignty and fractional
replication
Global User Profile
(has all user attributes)
• Contains subset
of complete user
profile
• Fractional
replication within
each jurisdiction
15. © 2017 ForgeRock. All rights reserved.
If a US employee of my organization uses a VPN
connection back to the home office while in another
office that’s located in the EU, what regulation applies:
US, EU…?
Q4
16. © 2017 ForgeRock. All rights reserved.
What do data encryption techniques
have to do with GDPR?
How does it work in the ForgeRock
Identity Platform to encrypt and
protect identity attributes?
Q5b
Q5a
17. © 2017 ForgeRock. All rights reserved.
DIRECTORY SERVICES
Many layers of protection for personal
data
ACCESS MANAGEMENT IDENTITY MANAGEMENT IDENTITY GATEWAYCOMMON SERVICES
IDM IG
DS
AM
CS
• On-disk encryption of data and indexes
• Access controls to prevent unauthorized users from reading data
• Encrypted backups
• Tamper-
proofed audit
logging,
depending on
the “sink”
chosen
• Logging only
of the user
identifier, not
of profile
content
• Token proof of
possession available to
ensure the bearer is the
rightful owner
• Signing and encryption
for JWTs, id_tokens,
SAML assertions,
UserInfo responses
• Contextual authorization
• Encryption of
credentials and profile
attributes
• Encryption or hashing
of data during
synchronization
• Contextual authorization
• Message header
encryption
18. © 2017 ForgeRock. All rights reserved.
Does an individual have a “right to update” data?
Q6
19. © 2017 ForgeRock. All rights reserved.
If my organization has shared end-user data with a
third party, and our end-user asks for it to be deleted,
whose responsibility is it to delete it?
Q7
20. © 2017 ForgeRock. All rights reserved.
When does GDPR say I have to go
back to an end-user and ask for their
consent to process their data again
after collecting it a first time?
When is it possible to ask for an end-
user’s consent using the ForgeRock
Identity Platform?
Q8b
Q8a
21. © 2017 ForgeRock. All rights reserved.
Moments of consent
Registration time Authentication time
Access approval
(asynchronous)
22. © 2017 ForgeRock. All rights reserved.
I’ve heard my organization will have to
change all of our consent collection
practices because of GDPR – is that
true?
What consent lifecycle management
capabilities does the ForgeRock
Identity Platform have?
Q9b
Q9a
23. © 2017 ForgeRock. All rights reserved.
Single view of the
consumer
Giving the consumer a
single view of their
consents
Giving the consumer
control over their
consents
● Lifecycle
management of a
user profile and their
data sharing
preferences
● Secure storage of
profile data
● Anonymized syncing
of profile data and
connector-based
integration to third-
party systems
● Terms of service and
privacy policy capture
● Social sign-in
● Social registration
● Social consent
management
● Interoperable, user-
driven, proactive and
reactive sharing flows
The holistic view of consent
lifecycle management
24. © 2017 ForgeRock. All rights reserved.
Patient selectively sharing IoT health data with doctors
and other caregivers with User-Managed Access (UMA)
Patient view Doctor view
25. © 2017 ForgeRock. All rights reserved.
Granular consented access by accountant to bank
customer’s account data and transactions
25
26. © 2017 ForgeRock. All rights reserved.
What does GDPR say about parental
consent, and what is the age of
majority?
What are the capabilities of the
ForgeRock Identity Platform regarding
parental consent?
Q10b
Q10a
27. © 2017 ForgeRock. All rights reserved.
Typical parent/child account
relationship and capabilities
Parent/Guardian Account
• Can self-register
• Can create and
manage age-
constrained accounts
• Full schema and
permissions
• Access approval
options, e.g. through
UMA constrained
delegation
Child Account
• Not allowed to self-
register
• Jurisdictionally
defined age-
constrained account
• Limited schema and
permissions
28. © 2017 ForgeRock. All rights reserved.
We’d like to show
you what we’ve got
cooking
https://www.flickr.com/photos/carree/2502801336/ | CC BY-ND 2.0
29. © 2017 ForgeRock. All rights reserved.
Profile and Privacy
Management Dashboard:
It’s all about self-service
for…
• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Convenient and centralized data
protection, transparency, and
control
demo
30. © 2017 ForgeRock. All rights reserved.
Thank You!
Questions?Eve Maler
VP Innovation & Emerging
Technology, ForgeRock
@xmlgrrl
Sean Doherty
Analyst, Workforce
Productivity & Compliance
Channel, 451 Research
@SeanD0herty