Ready or not, here comes GDPR July 28, 2017 by Sven Dummer consent management, customer identity management, GDPR How to tell if your identity management is ready for the new data protection regulations Businesses across the globe have gravitated toward customer identity management solutions to drive their customer engagement efforts to new heights. Customer identity management solutions handle all things related to the creation and management of customer accounts and the associated personal data. It promises to improve customer experience across various touch points and provide new opportunities to enhance brand outreach. Personal data allows for better business intelligence, more targeted offerings and, maybe most importantly, personalized marketing. Now change is coming to customer identity landscape. Whether marketers are fully aware of it or not, the European Union’s General Data Protection Regulation (GDPR) is poised to completely shake up consumer data collection and usage standards in 2018, and it applies to any company that does business with EU residents, even if the company and their servers are located elsewhere. With their direct access to consumers’ personally identifiable information (PII), CIAM systems lie at the very center of GDPR compliance. If you currently have or are considering investing in a CIAM solution, GDPR-readiness should be at the top of your list of must-have capabilities. How GDPR could upend 2018 marketing plans When GDPR goes into effect on May 25, 2018, any organization that hasn’t thoroughly vetted their CIAM tools could be in for a rude awakening. GDPR will require a number of changes to data management and usage practices, and perhaps the most intrusive ones involve customer consent. GDPR will attempt to remove any ambiguity in obtaining approval to collect and leverage personal data from customers, mandating companies to create explicit consent forms that require active customer opt-in. Not only that, but companies must have a clearly defined purpose for collecting any data from their customers, which they must sign off on. Enterprises will no longer be able to gather information with a vague objective in mind. Everything will have its specific place. This means that you can no longer collect customer profile data “on the side”, solely for marketing purposes without explicit permission. If the specific service you are offering doesn’t require, say, the job title, gender or age of the customer, but you are collecting that information only to be able to personalize your marketing campaigns or do lead scoring, you’d have to inform the customer about that purpose and get their explicit consent. That’s quite a change to today’s common practices. Just think about how many lead generation campaigns use landing pages asking for personal data before prospects can download a whitepaper — and how many of these pages collect far more data than what is needed for that purpose. The penalties for violation will rank as some of the most severe of any data management regulation in any country or industry. Think HIPAA’s maximum $1.5 million fine is bad? Wait until companies get hit with GDPR penalties totaling as much as $23 million or 4 percent of their annual global turnover. Breaking down GDPR-readiness needs With so many odds and ends to account for with GDPR compliance, businesses may be at a loss of what to look for when evaluating CIAM tools on the market. Key areas to consider include: Consent management: The GDPR has strict requirements for obtaining approval from users before obtaining and processing their personal data, and users need to be enabled to view, revisit, and change their approvals at any point in time. Does the CIAM solution have the capabilities to not only satisfy these requirements, but can it also do that in a way that won’t negatively impact the user experience? You don’t want the additional approval processes to negatively impact metrics like sign-up rates, online purchases, customer loyalty, etc. Due to the integral role consent plays in GDPR compliance, this should be a focal point of your CIAM evaluation. A solution that offers customizable consent forms with clear and concise directions and language is ideal here. These forms should be contextual in nature, allowing businesses to quickly produce them when a situation arises calling for additional consumer approval. CIAM solutions should also support comprehensive consent record keeping to produce documentation in the event of an audit. You can find information about how Janrain addresses these requirements here. Data access, deletion and erasure: In Article 17, GDPR basically implements the right to be forgotten. On request, enterprises must be able to completely remove a customer’s data from all their systems. Without comprehensive data access control mechanisms, however, this aspect of GDPR can be difficult to adhere to. Customer data is typically distributed across multiple systems and databases, for example in CRMs like Salesforce, Oracle Sales Cloud or HubSpot, and marketing automation systems like Marketo, Act-On, or Adobe Campaign. A CIAM solution needs to be able to integrate with these systems in order to support the non-trivial task of controlling data across your entire business technology stack. Data security and record access controls: Under Article 32, GDPR requires organizations to “implement appropriate technical and organizational measures” taking into account “the state of the art”, and — among other things — demands a “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.” It is a good idea to ask your CIAM vendor what their security measures are and how they can make these transparent for GDPR compliance purposes, for example through independent 3rd party security certifications and audits. Business continuity and disaster recovery (BCDR): While the GDPR does not call this out specifically, it does require “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident” (Article 32). In practice, this means that your CIAM vendor needs to have a solid plan and strategy in place on how to quickly recover data and functionality in the case of an event that causes system failures. Needless to say, this should be a must-have on your CIAM checklist independently from GDPR simply because it will hurt your business if your CIAM solution is down and prevents your customers from engaging with your sites and services. This list is far from complete, but using it as a beginning framework, companies can take a deeper dive into identity management feature capabilities to determine how it can help you get GDPR compliant. One aspect to keep an eye on is how easy and cost-efficient it is to comply with GDPR standards with a given CIAM platform. The CIAM platform is not the end all be all for GDPR but it helps! If your current identity solution is technically capable of complying with GDPR, but requires a lot of internal legwork to execute and drives up implementation cost and total cost of ownership (TCO), it might be better to go with a better equipped vendor. If your organization is currently running or planning to run an inhouse-built CIAM solution, the TCO aspect is well worth revisiting as well. Getting ready for GDPR is a challenging task, and May 25, 2018 is a fast approaching deadline. Keep in mind that there is a significant benefit to achieving this level of responsiveness and responsibility for handling your customers’ personal data: it is an opportunity to strengthen your brand image with consumers — in particular with those who are hesitant to hand over personal data. By showing your commitment to data privacy and solid and secure data management, and by giving consumers control over their data you can present your brand in a better light and establish more credibility with your customers. This will also lead to better and more reliable data. Once people can put more trust in companies their urge to use fake accounts and made-up data will clearly decrease. We’ve just scratched the surface of absolutely necessary compliance capabilities, and there are plenty more to consider when reviewing your CIAM options. GDPR may seem complex, but your CIAM solution doesn’t have to be. For more information on what to look for in a CIAM platform and guidance on preparing for GDPR, please feel free to reach out to one of our compliance experts.