Wimsheim 22.05.2019

The discussion on the EU-GDPR is often held by companies in the context of restrictions on freedom of action and liability risk.

As is also made clear once again in the “Orierungshilfe der Aufsichtsbehörden zur Verarbeitung von personenbezogenen Daten für Zwecke der Direktwerbung unter Geltung der Datenschutz-Grundverordnung (DS-GVO)” (Guidelines for Supervisory Authorities on the Processing of Personal Data for the Purposes of Direct Advertising under the Scope of the Basic Data Protection Regulation), advertising, whether in a postal, telephone or digital forum, is always subject to the consent of consumers.

An important note for companies is given here: “If personal data are collected directly from the data subject, e.g. for purchase and service contracts, brochure requirements or lotteries, the data subject must be informed comprehensively of the purposes of processing the data in accordance with Art. 13 (1) and (2) of the regulation. Any already planned or possible processing or use of the data for direct marketing purposes must, therefore, be transparently explained to the data subject from the very start”.

The collection of customer data supported by modern Big Data, which gives the customer the greatest possible transparency and security, is also an opportunity for companies to make their own processes more secure, more communicative and more productive, and is often overlooked by companies.

In particular, mid-sized companies that meet the legal requirements with a significantly improved user experience can secure competitive advantages. The capture, management, and communication of the “digital identity” of customers, partners, dealers, and employees play a key role in this. A centralized data protection and security policy through a modern user administration and digital consent management in the company is, therefore, a must.

The digital identity gives companies the opportunity to offer personalized services to customers or merchants, on the other hand, it allows the protection and customer-friendly management of personal data.

An appropriate Customer Identity and Access Management (CIAM) software solution facilitates communication with customers, companies and machines across all devices and simultaneously conforms to GDPR and, if necessary, to the requirements of the Payment Services Directive (PSD2).

The core of the EU-GDPR is that a user must be identifiable and be able to give his consent to the use of data and revoke it at any time. Compliance with the new data protection regulation, which requires that personal data must be factually correct and, if necessary, up to date in accordance with Art. 5 para. 1 d), can be implemented quickly and legally by a CIAM system, such as cidaas, since the customer can manage his data directly via a user self-service function. Through simple user management, customer profiles can also be deleted easily, if necessary also directly via the self-service by the customer himself, and thus comply with the right to deletion (Art. 13 EU-GDPR).

This secure and personalised customer interaction is relevant to a wide range of industries:

  • Banks and insurance companies
  • e-commerce
  • healthcare sector
  • education
  • Public administrations
  • Industry 4.0

The security of the data and the authentication of the identity are therefore essential.

This concerns incidentally the real, as well as the digital world. By authentication one understands the logging on to a system, be it for example digitally to a bank account, online shop or employee portal. Or also physically to a business premises, where the identity of the user is determined and verified. Particularly in the digital world, passwordless authentication is becoming more and more important. Identity is the unique identifier for a person, organization, resource or service. A modern Customer Identity and Access Management (CIAM) software based on Big Data technology not only manages the data, but also offers the corresponding authentication tool and enables, for example, the distribution of roles and access privileges for employee administration.

But even when it comes to protecting access to online shops, so-called “strong authentication” must be ensured. The basic EU data protection regulation (EU-GDPR) does not directly prohibit authentication with user name and password. However, it is explicitly demanded that personal data must be protected from unauthorized access. At the same time, user-friendliness becomes more and more important.

Multi-factor authentication ensures a high level of security through user profiling and biometric factors, as required by Art. 32 of the EU-GDPR.

Various methods can be used and combined for identification and authentication:

This includes specifically:

  • Facial Recognition: Identifies users with advanced biometric method using facial features
  • Speech recognition: Identification via voice
  • TouchID, FaceID, Android Fingerprint: Native methods of end devices
  • Pattern: Identification via a pattern drawn by the user
  • Push notification: Identification via accreditation only on the device used
  • TOTP: A unique, one-time code used for identification purposes.
  • Back-up code – In case a user does not have his mobile phone at hand
  • FIDO U2F USB-based security technology
  • Email
  • SMS
  • IVR – Verification codes by voice call

A two-factor authentication (2FA) – for example finger or face recognition with a password – offers the required “strong security”. If, in addition, strong predictive factors and big data analysis detect users with a high degree of security and built-in tools stop fraudulent attempts or suspicious activity, data protection requirements are sufficiently met.

CIAM requirements

A Customer Identity and Access Management (CIAM) software solution can be easily deployed for mid-sized companies. When deciding on a tool, various points should be considered:

  • Scalability – so that the software can be effortlessly adapted in line with business development.
  • Cloud software hosted on German servers for GDPR compliance and rapid automated updates
  • Standards such as OAuth2 and OpenID with Social Login or Single Sign On should also be part of the product scope.
  • Can be used in the digital world as well as in the real world – to have a comprehensive system. Because data fraud takes place often also by coworkers.
  • Easy integration into the existing security and CRM architecture.