Industry voice: The EU’s new General Data Protection Regulation profoundly changes how public sector organisations must handle citizen data, says ForgeRock’s Nick Caley. And the response revolves around identity.
Whilst the potential for stiff fines for non-compliance with the General Data Protection Regulation (GDPR) and for data breach have been hitting the headlines recently, the big shift in thinking for GDPR is going to be around people having more power over their personal data. This will change public expectations and create some big challenges for public sector organisations holding and working with data.
The regulation is set to come into force next May and will give individuals extensive new rights. Some are already in place under the UK Data Protection Act, but GDPR will raise the bar in giving them rights to be informed, to access the data, rectify it, erase it, restrict its processing, object to its use and know how it is used in automated decision making and profiling.
Organisations will have to be able to respond to requests from citizens about their data in the shorter timeframe of 30 days. The previous fee of £10 for Subject Access Request is now waived completely so individuals are free to make requests. Organisations will need to associate, collate and report on a wide range of data about people. They will need to show exactly how it is being processed and shared, both internally and externally. That unique citizen identity lies at the heart of the response to GDPR – it is the start and the end point of making the necessary transparency possible.
Identity as a key
The key elements of personal data are the attributes that can validate an individual to receive a specific service. These are often basic details such as name, date of birth, address and National Insurance number; but for different contexts they can expand into other features, such as marital status, passport, bank accounts, medical records and even a smartphone number or IP address.
Managing these is a challenge in itself and one with which the public sector has struggled. Even within organisations the data silos run deep. There are difficulties in unifying data from legacy systems, ensuring that it applies to the same individual, and providing the security to ensure that sensitive information – attributes that could be used in fraud or would cause distress to the individual – is kept secure.
But no ifs, no buts, the GDPR will demand that organisations are able to pull these attributes together, align them with a single view of the citizen, and make those details available to the individual on request.
This in itself poses a significant resource issue. The introduction of the Freedom of Information Act drove a deluge of requests for information from public bodies and many struggled to cope. Will your organisation be ready and able to cope with multiple demands for data disclosure from citizens next May?
The signs are that many will struggle. Following a recent historical case, one London council was faced with a deluge of subject access requests – it subsequently outsourced 145 of these in a £370,000 contract as it was unable to handle the requests internally.
No business as usual with GDPR
This new dynamic around personal data is highlighted by ForgeRock VP for Innovation and Emerging Technology, Eve Maler – a speaker at a forthcoming London event, Identity Live – who insists that, “There is no ‘business as usual’ when it comes to data post GDPR.”
“However, it provides us with the opportunity to raise our standards when it comes to transparency and enables us to put control of their data into the hands of citizens, which will provide the foundation stone for trusted relationships in a digital age.”
Fabric to weave a response
Organisations will need to have the right underlying technology in place to manage the many strands of GDPR compliance. This is where ForgeRock can provide the fabric to make it possible.
Most importantly for the GDPR, its technology provides the citizen with a dashboard on which they can view their data, where it is held and how it is being used. Built on Privacy by Design principles, ForgeRock supports open standards and industry protocols such as User Managed Access which gives an individual a single control point for authorising who and what can get access to multiple sources of digital data, content, and services. For organisations it will help users that wish to exercise those rights of rectifying data, erasing, restricting its processing and authorising data transfer to another organisation.
The ForgeRock Identity Platform can help ensure the appropriate personal data is stored in the appropriate location and only replicated or distributed when necessary. It can also ensure that sensitive data is encrypted when written to disk, to ensure that it is kept safe.
An individual’s personal data may well be stored across multiple servers and locations within an organisation, often dictated by existing legacy technology and these disparate locations need to be maintained and consistent across the entire organisation.
ForgeRock provides an organisation with a single point to view and manage customer data across all of their systems. This makes it possible for users to self-serve, to move between services with a single sign-on, with interfaces that can work with different types of authentication depending on the nature of the service.
Secure to the core
It extends beyond the regular log-ins to the use of biometrics – ForgeRock is working with around 20 partners in the field – and attributes related to a location or device; a feature that is growing in importance as people become more comfortable wearing and carrying connected devices. It also supports the shift to using cloud services, data centres and third party systems in a hybrid environment – an approach that many public authorities are now taking.
ForgeRock’s technology can be scaled up to manage millions of identities and meet the demands of the GDPR while supporting the shift to secure and private self-service through digital channels.
This supports the prime purpose of the regulation in giving people more power over their personal data, and in a way that both reduces the burden on the organisation and lays the ground for long term compliance. It is about recognising the rights of the individual while fulfilling the need for good governance and efficiency inside the organisation.
UPDATE: Nick Caley will be joining UKAuthority publisher, Helen Olsen Bedford and guests for a UKA Live webcast: Identity, Consent & GDPR on 10th November at 11:00, featuring:
- Dawn Monaghan, Head of Data Sharing and Privacy (NHS England), Head of Strategic IG (NHS Digital) and Director Information Governance Alliance
- Ian Litton, now an Independent Consultant with Positive Attributes, led the discovery, alpha, and private beta of the Blue Badge collaboration between Warwickshire County Council, GDS and DWP - the first use of GOV.UK Verify outside of central government.
To join this live virtual event please register for your free ticket below:
Image by Chelsea Lynn Winter, CC BY 2.0 through flickr