Consumer Identity and Access Management – Market ViewDerek Gordon

PwC UK

Identity and Access Management, Cyber Security Director

www.pwc.com

Building a secure digital society.

PwC │ 2

Introduction

• Overview of challenges faced by Clients/Consumers

• CIAM - GDPR

• CIAM – PSD2

PwC │ 3

Clients facing many demands

Industry Regulations

Digital Transformation

DigitalTrust

Cyber Threats

Resources

Competition

PwC │ 4

What consumers want from digital services…

SeamlessRegistration

Omni-ChannelDelivery

Positive UserExperience

Secure

Personal

Convenient

PwC │ 5

Example: GDPR

The regulation aims at getting people in control over their own personal data by extending their rights, and by reshaping the way organisations approach data privacy

• Where is that personal data stored?

• How to get a single view on that data subject and his or her personal data?

• User control – Consent Management?

PwC │ 6

Example: GDPR

Consent Management

Article 7 - If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

The data subject shall have the right to withdraw his or her consent at any time.

The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

When assessing whether consent is freely given, utmost account shall be taken of whether, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessaryfor the performance of that contract.

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

PwC │ 7

Example: GDPR

Without CIAM

34 year old Robert, is a customer of The Digital Trust Bank

Robert reviews the website and has to call customer services

Compliance officer contacts each bank division for info.

Each division sends info. Two letters are sent to Robert, one to the parents’house and is delivered at his old address

Confidence Crisis

The Digital Trust Bank

HEADLINEDigital Trust Bank starts monetising personal data

Oh, wait! Does this include

my data? The Digital Trust Bank

Tel: +1 111 111 1111Customer Services

Robert, pleaseperform the

validation process

Zip Code: **** ****, 2nd

character: &, 4th character: $

Thank You! How can I

help today?

Can you please provide me with all data you hold on

your systems

Of course, can you please submit a

written request oremail.

Thanks. We will be in-touch with in 30 days.

Customer Service Compliance

PwC │ 8

Example: GDPR

With CIAM

34 year old Robert, is a customer of The Digital Trust Bank

Robert uses the app to authenticate

Francis can view all information

• Purpose• Third parties consent• Retention period• etcAvailable for each product

Confident and in control

Robert, recently moved into a new house. He can update his details.

Robert, wants an Electronic snapshotof his data.

Robert, shares his positive experience with his friends and family, and has just sign-up for a new savings product.

The Digital Trust Bank

HEADLINEDigital Trust Bank starts monetising personal data

Oh, wait! Does this include

my data?

The Digital Trust Bank

Authentication Successful!

Profile Services My Money Logout

The Digital Trust Bank

SavingsMortgageCredit Card

Profile Services My Money Logout

~~~~~~~~

I’d like to stop receiving saving

product marketing

The Digital Trust Bank

Profile Services My Money Logout

~~~~~~~~

SavingsMortgageCredit Card

The Digital Trust Bank

Profile Services My Money Logout

~~~~~~~~

ProfileNew Address

The Digital Trust Bank

Profile Services My Money Logout

~~~~~~~~

Data Snapshot

Print

Save

PwC │ 9

Example: GDPR

Why CIAM?

• Provides a single view of identity, highlighting all systems where the identity meta-data is stored.

• Self-Serivce and update requests.• It could be leveraged to provide power of attorney/delegation.

It can deliver efficient with:• Provisioning based on consent being provided• De-provisioning based on consent being withdrawn.

It can provide:• Evidence to demonstrate that the data subject has consented to processing of his or

her personal data.• Consent Management platform• It could be leveraged for future re-validation (certification of consent).

Identity Centricity

Automation

Consent Mgmt and Governance

PwC │ 10

Example: PSD2

Banks recognise that they are now more like technology companies.

Features and capabilities are attracting customers

https://www.youtube.com/watch?v=HXGk7pqR6lA

PwC │ 11

Example: PSD2/Open Banking

PSD2 is just the latest of a series of interventions made by the European legislator in the area of payment services: the aim is to continue the development of an integrated single market by standardizing the rules of Payment Services Providers (PSP) and the new market players (today unregulated), helping to strengthen the security of the system and ensuring a high level of competition and transparency towards consumers.

PwC │ 12

Feedback, questions, collaboration

derek.gordon@pwc.com

At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 223,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com.

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

© 2018 PricewaterhouseCoopers LLP. All rights reserved. In this document, "PwC" refers to the UK member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.