At nearly 300 pages, the GDPR is a mountain of complex regulation that businesses must climb to survive - this summary and guide will help you plan your best route to the top.
Unraveling Multimodality with Large Language Models.pdf
CIAM Guide to Addressing GDPR Requirements
1. CIAM Guide to Addressing
GDPR Requirements
At nearly 300 pages, the GDPR is a mountain of complex
regulation that businesses must climb to survive – this guide
will help you plan your best route to the top.
RIGHT TO BE
FORGOTTEN
RIGHT TO
EXPORT
NOTIFICATION
MANAGEMENT
CONSENT
MANAGEMENT
FAIR
PROCESSING
CROSS-BORDER
PRACTICES
DEFINING PII
3. 3
To Prepare for the GDPR, Think “Privacy by Design”
You may have noticed that the topic of data privacy and security is no longer limited to the
back-office. As corporate strategy becomes increasingly reliant on digital technologies,
consumer data has become the chief currency of business in a marketplace where customer
experience is edging out price and even product quality as the prime differentiator for
brands. But many consumers harbor a growing wariness about how and why businesses are
using their personal information.
For example, a 2017 survey1
by Gigya of more than 4,000 adults in the U.S. and UK turned
up some important insights into people’s feelings about online security and privacy,
including these statistics:
• Sixty-eight percent of respondents don’t
trust brands to appropriately handle their
personal information, such as name, email,
location or marital status.
• Sixty-nine percent of respondents are
worried about device security and privacy
risks with increased adoption of IoT devices.
• Seventy percent of respondents use seven
or fewer passwords across their many online
accounts, indicating poor password habits.
Governments, regulators, voters and consumer
advocates across the globe are demanding
an overhaul of consumer protection laws,
resulting in a wave of privacy legislation that is
changing the game for the digital enterprise.
The most notable of these new decrees is the
European Union’s General Data Protection
Regulation (GDPR).
About the General Data
Protection Regulation (GDPR)
This comprehensive document was created with input from multiple EU member states
and has robust enforcement mechanisms. The GDPR was designed not only to standardize
privacy practices across the EU, but to influence how countries outside the EU design their
own legislation around data protection and privacy. Importantly, the GDPR applies not only
to data captured and processed by EU-based businesses, but also to any organization
outside the EU that processes the personal data of EU consumers in order to offer goods or
services to them. The regulation officially goes into effect on May 25th, 2018.
1 Gigya, The 2017 State of Consumer Privacy and Trust
https://www.gigya.com/resource/report/2017-state-of-consumer-privacy-trust/
4. 4
What’s New? What’s Different?
The new law represents a fundamental shift in the balance of
rights and obligations between consumers and businesses.
There are a number of new elements to consider, including
broader definitions of personal data and new rights for
consumers in terms of data portability, requirements to notify
customers — as well as authorities — of data breaches, and
higher standards for obtaining and managing consent.
While significantly larger fines will apply when companies are
not in compliance, the major shift in the law is about giving
consumers control over their personal data.
PII Versus Personal Data —
A Broader Definition
Personally Identifiable Information (PII), a commonly used term in
North America, refers to a relatively narrow range of data such as
name, address, birth date, Social Security number and financial
information such as credit card numbers or bank accounts.
Personal data, in the context of GDPR, covers a much wider
range of information. The definition includes all tracking data which enables identification of
consumers. For example, the aspect of “indirect identification” means that data gathered using
cookies could be considered personal data. Also included in the definition are social media
posts, photographs, lifestyle preferences, transaction histories and IP addresses.
CIAM TAKES HOLD
Customer identity and access management (CIAM) solutions can be considered important to help
businesses address their obligations under GDPR. For years, most online marketing was done
anonymously, marketing to IP addresses — not individuals — using tracking cookies, behavioral
targeting networks and Data Management Platforms, without the use of consumers’ personally
identifiable information (PII).
Under the GDPR the definition of “personal data” has been expanded to include attributes not
traditionally considered personally identifiable information (PII). More importantly, the conditions
for consent have been expanded to include obligating businesses to obtain unambiguous and
verifiable consent from their customers for the processing of their personal data.
Addressing these requirements usually falls outside the core competencies of systems designed
to manage anonymous, third-party data. This is driving a new trend in digital strategy, with
businesses leveraging CIAM solutions to encourage consumers to identify themselves online in
transparent and fair exchanges of value for information, under conditions of trust and security. CIAM
solutions also enable businesses to maintain customer data in one place, while addressing GDPR
requirements to keep granular records on consent.
BUSINESSES IN THE
UK WILL BE SUBJECT
TO GDPR DURING THE
BREXIT PROCESS,
AFTER WHICH THE
INFORMATION
COMMISSIONER’S
OFFICE HAS SET
EXPECTATIONS
THAT WHATEVER
REPLACES THE LAW
WILL BE “ESSENTIALLY
EQUIVALENT.”
5. 5
TRUST — OR BUST
While it’s clear that customer identity is now the core of digital marketing, it’s important to
bear in mind that identity is not binary and there can be many steps between an unknown
visitor and a known customer. Today’s savvy and mobile customers are free to engage
with brands from a growing range of devices and channels, but overall are searching for
convenience, value and consistency. The new customer journey can begin at any time or
place, and certainly doesn’t end at purchase or conversion.
This is why the most successful businesses are incentivizing engagement by offering
value propositions such as premium content or exclusive promotions to online visitors
and ensuring that, once converted, customers can easily edit, amend, delete and freeze
processing of their personal data, or rescind their consent to store and use it.
Gigya’s Customer Identity Management platform enables businesses to progressively build
and manage rich customer identities and relationships throughout the entire buyer lifecycle.
Built specifically for the enterprise, our platform helps clients address GDPR requirements
and mitigate the risk of non-compliance by providing a centralized system for managing
customer data and consent across all marketing channels and devices.
PRIVACY BY DESIGN
Gigya’s CIAM platform provides customer
registration, login and preference management,
often across multiple digital properties, in order
to build rich customer profiles. These profiles can
be used for profile and consent management,
enabling businesses to control their captured
consumer personal data in a transparent and
centralized manner across many sites and apps. In
order to do this consistently and at massive scale,
Gigya employs a set of technical, strategic and
design principles known as “Privacy by Design.”
Privacy by design, a collection of data privacy best
practices (as defined at the end of this document),
is built into the Gigya platform, woven through our
technical implementation and product design and
taught to our clients as foundational principles
through GigyaWorks Global Services workshops. Privacy by design elements include
consent management strategy, data auditing, data extraction, data deletion, freezing of data
processing and more.
Using these principles, Gigya’s CIAM platform can help businesses address many of the
requirements of the GDPR and other data protection and privacy regulations. These best
practices are based on self-assessments from clients’ legal and business teams, and are
important for delivering transparency and control to customers regarding their personal data.
PRIVACY
BY DESIGN
7 Foundational
Principles
Proactive not
Reactive;
Preventative
not Remedial
Privacy as
the Default
Setting
Privacy
Embedded
into Design
Full
Functionality –
Positive-Sum,
not Zero-Sum
Visibility and
Transparency –
Keep it Open
End-to-End
Security – Full
Lifecycle
Protection
Respect for
User Privacy –
Keep it
User-Centric
6. 6
What is the Potential Impact of the GDPR?
ON BUSINESS
This new regulation will introduce a
range of requirements that will have
significant impacts on organizations,
but the component most likely to
draw attention from the C-suite is
the provision on penalties and fines.
In a stark departure from previous
data privacy legislation in Europe
or elsewhere, the GDPR authorizes
regulators to levy steep fines of up
to €20 million or four percent of
annual revenue, whichever is higher.
ON IT INFRASTRUCTURE
Are You Agile Enough?
Understanding how customers’ personal data is stored and processed across your
entire digital ecosystem will likely require a deep assessment of your technology stack
to determine whether your system is flexible enough to consistently obtain, track and
accurately report on customers’ profiles, preferences and consent. Importantly, this must
be done across every channel, device and stage of the buyer journey, and across every
marketing, sales and service application processing customer data. Does your customer
identity management solution have the agility to consistently manage new deployments that
have addressed GDPR requirements and that optimize customer experience? For example:
• Can you add new attributes to registration and login forms and the associated back-end
components in a consistent and timely fashion?
• Do you have a detailed audit trail that you can easily query to confirm opt-ins on
e-shops, portals and apps?
• Do you have enhanced profile management (“My Account”) screens that allow
self-service access for customers to view, edit, download, delete and freeze processing
of their personal data?
Are You Fully Connected?
Large, cloud-driven stacks have a lot of downstream dependencies for any changes made
to a self-service customer profile. For example, whether a customer wants to opt out of a
newsletter on your website, the terms of service change for your mobile app, or for any
number of other actions for which the GDPR requires consent to be obtained, mechanisms
Estimated number of new
Data Protection Officers
required in Europe
(IAPP study 20162
)
28,000
Cost of a 4% fine
to a company
with $500m turnover
$20m
New requirements
in the GDPR
80+
Core individual
rights afforded
under the GDPR
7
Potential fines as a
percentage of
global turnover
4%
Countries
potentially in scope
of the regulation
190+
Hours given
to report a
data breach
72
2 Source: International Association of Privacy Professionals:
https://iapp.org/news/a/study-at-least-28000-dpos-needed-to-meet-gdpr-requirements/
7. 7
must be in place to notify every applicable downstream application so they always reflect
the current state of the profile. Ask yourself these questions:
• Are you storing customer consent — wherever it is given — in a centralized way?
• Do you have mechanisms in place for downstream notifications — such as flexible ETL
functionality and customizable webhooks — to enable bi-directional syncing of consent
across every marketing, sales and service application in both batch mode and real-time,
depending on the application?
Are You Fully Unified?
If your profile and consent data exists in silos — such as ESP, CRM and DMP systems —
with no easy way to send or receive notifications about changes to profiles or preferences,
it’s both hard to know if you’re in compliance and easy to fall out of compliance without
warning. It’s also a challenge to fully understand complete digital customer journeys, and
perhaps impossible to synchronize data across the entire tech stack. This is often the case
for businesses which have not yet implemented a dedicated customer identity management
solution. For example, ask yourself:
• Do you maintain one profile database for subscription management in your ESP solution
and another for your CRM platform? Are you able to synchronize these records and do
you have a single source of truth?
• Are you using your DMP to drive media activation and optimization with third-party data?
• Are all these attributes consistently unified to provide an accurate view of each
customer’s consent and preferences across the business?
Understanding Compliance - At A Glance
Let’s look into key considerations when assessing data privacy and compliance for the
GDPR and other regulations around the globe.
CONSENT MANAGEMENT
Should consent be determined to be the lawful basis for processing
personal data, the GDPR requires that any mechanism for obtaining
consent arguably goes far beyond current practices. Businesses must
allow customers to easily modify their consent preferences.
Some of the consent management functions Gigya’s platform
provides include:
• Storing consent for terms of service (TOS) and the specific version of
TOS at the time consent was granted
• The ability to prompt customers to re-grant consent if TOS change
• Detecting a customer’s age and preventing login if they are under the
legal age of consent
• Triggering parental consent to accept customers below a minimum age
Consent
Management
Customer
Data
Control
Data
Localization
Social
Compliance
Data
Privacy
Regulations
8. 8
CUSTOMER DATA CONTROL
GDPR requires businesses to give individuals control over their
personal data, including the ability to view, freeze, download and
delete their personal data. Gigya’s platform provides:
• The ability for customers to easily update, export, and delete
their profile and preference data
• The ability to freeze or deactivate an account
DATA LOCALIZATION
Regional data localization laws, such as the Russian Federation’s
Personal Data Protection Act, generally require companies collecting
personal data of citizens in that country to process and store that
personal data within the country. Gigya helps clients address such
laws with regional data centers in North America, Europe, Australia,
Russia and China.
SOCIAL COMPLIANCE
Social networks like Facebook and Twitter have legal terms
applicable to businesses when they implement Social Login on
their digital properties. For example, upon each login, businesses
are required to keep the customer’s profile in sync with profile and
preference data on each social network. Gigya’s platform:
• Manages TOS for more than 25 social networks and other
identity providers
• Syncs personal data in real time between social networks and
customer profiles
• Deletes non-public data, according to customer permissions
DATA PRIVACY REGULATIONS
There are a number of other data privacy regulations and laws
around the world that may be applicable to businesses with respect
to their customers’ personal data. Gigya’s Customer Identity
Management platform features are designed to help businesses
address the requirements of these various laws and regulations with
respect to data privacy and personal data.
Consent
Management
Customer Data
Control
Data
Localization
Social
Compliance
Data
Privacy
Regulations
Customer
Data
Control
Consent
Management
Data
Localization
Social
Compliance
Data
Privacy
Regulations
Customer
Data
Control
Consent
Management
Data
Localization
Social
Compliance
Data
Privacy
Regulations
Customer
Data
Control
Consent
Management
Data
Localization
Social
Compliance
Data Privacy
Regulations
9. 9
Anti-Spam Regulations:
Regional anti-spam laws have various opt-out requirements regarding certain marketing
activities. Gigya’s CIAM Platform:
• Provides default support in our Registration-as-a-Service (RaaS) solution’s user interface
for opt-in and opt-out options, as well as custom support for opt-down
• Enables businesses to configure country-specific custom rules for each digital property
• Helps businesses address the anti-spam requirements of various countries by offering
registration, login and preference management screens that can be configured to
include specific opt-in functionality
Children’s Privacy
Gigya’s CIAM platform functionality allows businesses to ask online visitors to confirm their
age and can prevent registration if that individual is below the legal age of consent in their
country. Gigya can also support auto-deletion of the records of users below a particular age.
Accessibility Compliance
Gigya CIAM platform allows business to use out-of-the-box workflows that allow visually-impaired
customers to navigate online processes using only their keyboards to address some of the
requirements of the Web Content Accessibility Guidelines (WCAG) and the Americans with
Disabilities Act (ADA).
Gigya Facilitates Support for many Regulations
REGULATIONS
GDPR EU
COPPA US
Data Residency RU, CN
Privacy Shield EU-US
Privacy Bill of Rights US
Various Anti-Spam Acts CA, US, EU
Web Content Accessibility
Guidelines
Global
Health Insurance Portability
and Accountability Act
US
10. 10
Understanding GDPR Compliance – By the Numbers
ARTICLE 7: CUSTOMER CONSENT
7(2) Consent
Consent must be explicit and unambiguous and must be
obtained for each different processing activity.
How Gigya’s CIAM can Help
Gigya’s registration forms are 100% customizable via UI
builder, extensible markup language, or direct API access,
allowing Gigya’s clients to obtain separate instances of
consent in order to provide:
• A lawful basis for processing (consent)
• Privacy policy and TOS adherence
• Marketing and account preferences
7(1) Consent Documented
Businesses must provide records of the customer’s consent, including the conditions
under which each customer has given their consent and the specific purpose for which
consent was obtained. For example:
• When creating new accounts: A customer clicks a register now button, creates a
new account and clicks to accept TOS.
• When reaccepting updated TOS: A customer logs out, later logs back in and is
asked to accept new TOS.
• When opting in or out: A customer clicks into “My Account” and opts in or out of
newsletters, events or other available options.
How Gigya’s CIAM Platform can Help
To manage evidence of consent across the entire customer journey, Gigya obtains and
stores first-party metadata via registration forms, including for the intended use of data.
7(3) Right to Withdraw Consent
Customers must be able to easily withdraw consent for the collection or processing of
their personal data at any time.
How Gigya’s CIAM Platform can Help
Through Gigya’s Profile Management system, customers can quickly and easily access
their consent preferences at any time to change or withdraw consent. Additionally, Gigya’s
integrations with email service providers and marketing automation solutions are bi-directionally
synchronized. This means that any changes to opt-outs on third-party applications are reflected
on customers’ Gigya profiles as well, enabling truly centralized consent management.
11. 11
ARTICLE 15: RIGHT OF ACCESS BY THE CUSTOMER
Customers must be able to be view, export and edit their
personal data at any time. Also, customers have the right to
be provided with information about all personal data stored
by the applicable businesses.
How Gigya’s CIAM Platform can Help
Gigya’s clients can enable their customers to view and edit
all of their personal data via profile screens. This includes
not only data collected by Gigya, but also information from
client-requested integrations between third-party solutions
and our Profile Management database.
ARTICLE 16: RIGHT TO RECTIFICATION
Customers must be able to easily change profile and opt-in preferences
or correct inaccurate information stored by any business on their behalf.
Customers must also be able to request that changes be made to their
profiles and preferences by the business on their behalf, in a reasonable
amount of time and via a simple communication method such as email.
How Gigya’s CIAM Platform Helps
Gigya provides profile update forms to enable customers to edit their
marketing opt-ins and account preferences. A client administrator can
also update this information on the customer’s behalf via Gigya’s Admin
Console using the Identity Access tool. In addition, our integrations
with email and marketing automation tools are bi-directional, updating
customer records with any opt-outs initiated via third-party platforms.
ARTICLE 17: RIGHT TO BE FORGOTTEN
Customers have the “right to be forgotten” — that is, have their personal data erased by the
business, for reasons that include:
• The information is no longer necessary to fulfill the purposes for which it was
originally collected.
• The customer withdraws consent for the business to perform the activity for which the
processing is based.
• The customer objects to the purpose for personal data processing and the business
cannot provide compelling, legitimate grounds to continue doing so.
• The customer’s personal data was collected or processed unlawfully.
• The customer’s personal data must be erased in order to comply with a legal obligation of
that person’s country of origin.
12. 12
How Gigya’s CIAM Platform can Help
Gigya’s CIAM platform features a delete mechanism for customer profiles that is easily
accessible by registered customers. Console administrators can also delete profiles
upon customers’ request. Gigya is also able to delete profile information on synchronized
downstream applications using customizable webhooks and flexible ETL functionality when
a customer deletes an account in a Gigya profile screen.
ARTICLE 18: RIGHT TO RESTRICTION OF PROCESSING
Customers have the right to request that businesses freeze processing of their personal
data for any of the following reasons:
• The customer contests the accuracy of their personal
data. In this case, processing of the customer’s
personal data must cease for the period required to
verify the accuracy of the information.
• Personal data processing is deemed unlawful and
the customer requests that their data be frozen rather
than deleted.
• The business is no longer processing the customer’s
personal data, but the customer requires that the
personal data continue to be stored by the business
to establish, exercise or defend legal claims.
• The customer has objected to processing of their personal data. In this case, the
personal data should not be processed until the business’ grounds for processing are
verified as either legitimate or illegitimate.
Businesses are also required to inform customers before beginning the processing of
personal data after a restriction is lifted.
How Gigya’s CIAM Platform can Help
Gigya’s clients can easily tag individual profiles as inactive when their customers request
to have their accounts frozen. In this case, login is prevented automatically and tagged
customers can be filtered out of any processing activity. Clients can leverage customizable
webhooks and ETL functions to help ensure that profiles are updated on third-party
solutions as well.
13. 13
ARTICLE 28 (3)(G): DELETION OF INACTIVE DATA
The GDPR requires that businesses purge a customer’s personal data if the customer
deletes their profile, or if that profile has been inactive for a predetermined amount of
time. All copies of such data must be purged as well, unless otherwise specified by
law. Associated data must also be purged from any third-party technologies, such as
CRM or ESP solutions.
How Gigya’s CIAM Platform can Help
When a customer’s account has been inactive for
a predetermined amount of time, or if a customer
chooses to delete their account information, that
data is automatically purged from Gigya’s database
after a contractually mandatory 60-day period via
scripts that can be customized by clients.
ARTICLE 8: CONDITIONS APPLICABLE TO A CHILD’S CONSENT IN
RELATION TO INFORMATION SOCIETY SERVICES
The GDPR prohibits businesses collecting and processing the personal data of minors
without the express consent of a parent or guardian. The regulation defines the age of
consent as 16 within the EU, and not below 13 elsewhere. Businesses are required to
make reasonable efforts to verify the age of online users before processing their data,
taking into account available technology.
How Gigya can Help
Gigya’s clients are able to customize their implementations to ask an online visitor’s
age and prevent registration if that person is below the legal age of consent in
their country. Gigya can also support auto-deletion of the records of users below a
particular age. Additionally, Gigya’s clients can include parental consent forms to their
registration and login screens.
14. 14
More Regional Data Privacy Regulations
DATA LOCALIZATION
A number of countries have data localization regulations, notably Russia and China, which
generally require that personal data of their citizens collected in their respective countries
be processed and stored within their respective national borders.
Gigya’s Russian Data Center
To help its clients address the Russian data localization requirement to process
and store personal data of its citizens in Russia, Gigya opened a data center
located in Russia in 2016.
Gigya’s China Data Center
Gigya opened a cloud-based data center in Shanghai in April, 2017. Personal
data stored in China will remain discrete from that stored in Gigya’s other four
data centers. Personal Data is replicated in real time between two separate data
centers within China, and each server role operates in a cluster to eliminate
a single point of failure. The Chinese data center is certified for ISO27001,
ISO27018, SOC 1 and SOC 2.
A Global Footprint
All Gigya’s data centers operate with fully redundant capacity and incorporate disaster
recovery capability at a regional level. Gigya’s world-spanning data infrastructure helps our
large digital enterprise clients to drive complex, multi-national strategies while keeping up
with a constantly evolving regulatory landscape.
North
America
Europe Russia
Australia
China
SOCaicpa.org/soc
Fo
rm
erly SAS 70 Repo
rts
AICPASe
rvice Organization Contr
olReports
S E R V I C E O R G A N I Z AT I O N S
15. 15
The Gigya Privacy by Design Program
If your business is preparing to address the new requirements of the GDPR, Gigya can
help you clear a path to compliance. The Gigya Privacy by Design Program, delivered
by GigyaWorks Global Services, uses an iterative methodology to assess your business’
CIAM needs and help you prepare for GDPR compliance. Built on knowledge gained from
hundreds of enterprise deployments around the globe, this comprehensive program is
tailored specifically for your business needs today and geared to prepare you for the future.
How does it work?
This thorough program offers onsite client engagements and customized-per-client
documentation from the GigyaWorks Global Services team to support the implementation of
privacy by design best practices for our clients’ CIAM business initiatives. The GigyaWorks team
leverages an iterative methodology to help your team achieve rapid and and effective results.
• Client Technical Readiness Self Assessment: In preparation for the Privacy Strategy
workshop, Gigya will equip clients’ legal and business teams with a self-service GDPR
Technical Readiness Self Assessment Checklist. The results are intended to clearly
define which regulations apply to the business and which CIAM functions to prioritize in
order to quickly and efficiently prepare for GDPR compliance.
• Privacy by Design Strategy Workshop: The GigyaWorks Global Services team will
work onsite with clients’ legal and business teams to define which customer identity
management best practices and strategies are required to meet GDPR compliance in
advance of implementation.
16. 16
• Privacy by Design Blueprint: Based on the outcome of the Self Assessment and the
Privacy Strategy Workshop, a “Privacy by Design Blueprint” will be produced by the
Gigya Global Services team as a central guide for implementation.
• Privacy by Design Implementation: Driven by the Privacy by Design Blueprint, the
delivery and services teams will help to implement the required features to ensure a
GDPR compliant customer identity management implementation.
• Privacy by Design Quality Assurance Review: Following implementation, the
GigyaWorks Global Services Team will perform a quality assurance review to verify that
all requirements have been implemented using best practices.
Don’t fight your way through this challenging phase on your own. Let Gigya help you build a
brighter future for your business through customer identity!
To learn more about the Gigya Privacy by Design program, download our data sheet.
In Conclusion
While no one can say for certain what full impact and influence the GDPR will have once it
takes effect, it’s safe to say the future of digital business will look quite different than it does
today. After all, the EU Commission is trying to reflect the will of consumers in this sweeping
regulation and, ultimately, it’s consumers who should decide if, when and how their personal
information is collected by businesses and used to drive revenue.
Our platform, implementation methodology and approach is built on privacy by design
principles. Our goal with each rollout of our enterprise-class platform is to create flexible,
scalable and secure customer identity solutions for our clients. We want to enable them to
use Gigya’s CIAM platform features and functionality to help address GDPR requirements
while providing transparent and seamless experiences to their customers, to build lasting
trust that pays off in lifelong brand loyalty.
We created this executive summary to show you how Gigya’s CIAM platform can help you
address GDPR requirements. We want you to know that when it comes to meeting these
new requirements for collecting and managing customers’ personal data, Gigya is here to
help. We can act as your customer identity management advisors as you begin your journey
toward GDPR compliance — from planning, to implementation, to ongoing strategy for every
new deployment in your future.1
To learn more about the Gigya’s Customer Identity Management platform, visit www.gigya.com.
* Disclaimer
The material contained in this document is for general information purposes only and does not constitute legal or other
professional advice. Specific legal advice should be sought on any particular matter including but not limited to GDPR. Any
and all information is subject to change without notice. No liability whatsoever is accepted by Gigya, Inc. for any action taken
in reliance on the information in this document.