May The Forces be With You: Using IPaaS for IAM and GDPR
The General Data Protection Directive GDPR which comes into force on May 25, 2018, may well be the most written about directive ever. There is a reason for this. It is complicated, involves data, and it cuts across country boundaries like Attila the Hun could never achieve.
I recently did a webinar on GDPR, hoping to help demystify some of its ideology, especially around data. A number of questions came in on the matter, and it was clear that the requirements of the GDPR are not only nuanced but unclear. One area that seemed to carry across as a theme was Cloud data storage and all that entails, especially around data portability. This seems a sensible place to focus GDPR attentions on, as it is, after all, about the processing of personal data.
So as 2018 approaches, we move into the new year as the planets are aligning, finding that:
- Cloud computing has crossed the chasm and is becoming ubiquitous, but we still have on-premise needs.
- Identity and Access Management IAM) is rapidly taking on a new acronym in the form of CIAM or customer IAM and with it the type of scalability only achievable using Cloud architectures and API-based identity services.
- The GDPR is forcing us to take actions in the way we process all the personal data we collect when we utilize identity-based data systems.
This collective positioning of forces, means we have to use smarter methods of handling data within modern API-based Cloud infrastructures. The new methodology of Integration Platform as a Service (IPaaS) may hold the key.
Where IPaaS Can Help with Data Subject Rights
Data portability and erasure are areas that cause a lot of concern amongst companies managing GDPR compliance. Article 20 of the directive has this to say on data portability:
“data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible”
And on erasure, Article 17 states:
“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay”
(note there are exemptions to this onerous rule)
The point of “technically feasible” seems to be the sticking point with those trying to meet GDPR compliance. Many folks are understandably asking, “how am I supposed to cut across potentially multiple data processing systems, across multiple global jurisdictions, find all the data relating to this individual, and then transmit it, in a readable form, to some third party system or erase it altogether?”
It gets even messier when an individual has multiple names, or changes gender, uses nicknames, changed surnames, etc. The world is becoming an increasingly complex place, especially where individuals and the data that represents them is concerned.
Sure, you could do data transfer manually. Find the data, transform the data, erase the data, all by hand. It isn’t the best use of a human beings time. But, what about companies who service global clients, both EU citizens and non-EU citizens. It all gets really messy when you throw GDPR requirements into the mix.
What we need is a technology that can handle data integration and orchestration across disparate systems, whilst being flexible enough to offer data isolation when needed; enter stage left, IPaaS.
Integration Platform as a Service or IPaaS is an evolution of the data warehousing methodology ‘extract, transform, load’ or ETL. It is particularly useful for setting up policies and rules to orchestrate data across disparate systems and services both internally and B2B. It is also used to connect APIs within microservices, so is applicable to management and security of API-based CIAM systems. It is also enabled for IoT devices, so personal data generated from Internet-enabled systems can be managed too. The use of IPaaS to orchestrate data across multiple systems can be really useful with personal and identity data that changes and updates – especially when you allow the customer to have direct access to their data – again, another GDPR requirement.
IPaaS is an emerging technical solution to a long-term problem. It has the potential to let you build ‘data protection by design,’ but to also help to comply with some of the more complex of GDPR requirements, such as data portability. As more organizations start to utilize smarter data management systems, we are hopefully going to see requirements like data portability become simpler to enact.