Consumer Identity and Access Management – Market ViewDerek Gordon
PwC UK
Identity and Access Management, Cyber Security Director
www.pwc.com
Building a secure digital society.
PwC │ 2
Introduction
• Overview of challenges faced by Clients/Consumers
• CIAM - GDPR
• CIAM – PSD2
PwC │ 3
Clients facing many demands
Industry Regulations
Digital Transformation
DigitalTrust
Cyber Threats
Resources
Competition
PwC │ 4
What consumers want from digital services…
SeamlessRegistration
Omni-ChannelDelivery
Positive UserExperience
Secure
Personal
Convenient
PwC │ 5
Example: GDPR
The regulation aims at getting people in control over their own personal data by extending their rights, and by reshaping the way organisations approach data privacy
• Where is that personal data stored?
• How to get a single view on that data subject and his or her personal data?
• User control – Consent Management?
PwC │ 6
Example: GDPR
Consent Management
Article 7 - If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
The data subject shall have the right to withdraw his or her consent at any time.
The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
When assessing whether consent is freely given, utmost account shall be taken of whether, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessaryfor the performance of that contract.
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
PwC │ 7
Example: GDPR
Without CIAM
34 year old Robert, is a customer of The Digital Trust Bank
Robert reviews the website and has to call customer services
Compliance officer contacts each bank division for info.
Each division sends info. Two letters are sent to Robert, one to the parents’house and is delivered at his old address
Confidence Crisis
The Digital Trust Bank
HEADLINEDigital Trust Bank starts monetising personal data
Oh, wait! Does this include
my data? The Digital Trust Bank
Tel: +1 111 111 1111Customer Services
Robert, pleaseperform the
validation process
Zip Code: **** ****, 2nd
character: &, 4th character: $
Thank You! How can I
help today?
Can you please provide me with all data you hold on
your systems
Of course, can you please submit a
written request oremail.
Thanks. We will be in-touch with in 30 days.
Customer Service Compliance
PwC │ 8
Example: GDPR
With CIAM
34 year old Robert, is a customer of The Digital Trust Bank
Robert uses the app to authenticate
Francis can view all information
• Purpose• Third parties consent• Retention period• etcAvailable for each product
Confident and in control
Robert, recently moved into a new house. He can update his details.
Robert, wants an Electronic snapshotof his data.
Robert, shares his positive experience with his friends and family, and has just sign-up for a new savings product.
The Digital Trust Bank
HEADLINEDigital Trust Bank starts monetising personal data
Oh, wait! Does this include
my data?
The Digital Trust Bank
Authentication Successful!
Profile Services My Money Logout
The Digital Trust Bank
SavingsMortgageCredit Card
Profile Services My Money Logout
~~~~~~~~
I’d like to stop receiving saving
product marketing
The Digital Trust Bank
Profile Services My Money Logout
~~~~~~~~
SavingsMortgageCredit Card
The Digital Trust Bank
Profile Services My Money Logout
~~~~~~~~
ProfileNew Address
The Digital Trust Bank
Profile Services My Money Logout
~~~~~~~~
Data Snapshot
Save
PwC │ 9
Example: GDPR
Why CIAM?
• Provides a single view of identity, highlighting all systems where the identity meta-data is stored.
• Self-Serivce and update requests.• It could be leveraged to provide power of attorney/delegation.
It can deliver efficient with:• Provisioning based on consent being provided• De-provisioning based on consent being withdrawn.
It can provide:• Evidence to demonstrate that the data subject has consented to processing of his or
her personal data.• Consent Management platform• It could be leveraged for future re-validation (certification of consent).
Identity Centricity
Automation
Consent Mgmt and Governance
PwC │ 10
Example: PSD2
Banks recognise that they are now more like technology companies.
Features and capabilities are attracting customers
https://www.youtube.com/watch?v=HXGk7pqR6lA
PwC │ 11
Example: PSD2/Open Banking
PSD2 is just the latest of a series of interventions made by the European legislator in the area of payment services: the aim is to continue the development of an integrated single market by standardizing the rules of Payment Services Providers (PSP) and the new market players (today unregulated), helping to strengthen the security of the system and ensuring a high level of competition and transparency towards consumers.
PwC │ 12
Feedback, questions, collaboration
At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 223,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com.
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
© 2018 PricewaterhouseCoopers LLP. All rights reserved. In this document, "PwC" refers to the UK member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.