A translation widget is provided for your convenience to facilitate translation of the English language version of this blog into several languages. If you choose to utilize this automated translation facility, please understand there may be deviations between the automated translation and the original English version. IBM is not responsible for any such automated translation deviations and offers the translated version "AS IS" without warranties of any kind.
Helping Business Partners navigate The General Data Protection Regulation (GDPR) in the EU
The General Data Protection Regulation (GDPR) imposes several elevated EU citizen rights and obligations on personal data in all establishments. As channel sales leader for Worldwide Information Integration and Governance at IBM, I have the pleasure to work with our Business Partners to address some of these challenges. Their innovative solutions accelerate time to market for our clients as they race to make the GDPR deadline. Ævatar.coop, a Paris-based Social Benefit Corporation, is one of our key Business Partners providing a very unique solution in this complex regulatory environment.
It is a known fact: Data privacy management impacts internet users’ behaviors. Recent polls and surveys demonstrate how much people—whether they are employees, consumers or citizens—care about the protection of their personal data. In France, a survey conducted last month revealed that 83 percent of French citizens are very much “concerned” about data privacy. 62 percent estimate they are less protected than 10 years ago.
In this context, next year’s GDPR, especially when looking at its “privacy by-design” requirements, looks like an obvious call-to-action for strengthening the confidence people and organizations have in their data processors, in both the private and public sectors. This said, complying with GDPR requirements will, by itself, probably not provide first-to-market organizations with a competitive advantage—especially knowing how stringent and painful it is to enforce (privacy by-design-centric) multifactor authentication (MFA) as the new way to process identity and access management to personal data.
Addressing the new Identity and Access Management (IAM) challenge
To address this new Identity and Access Management (IAM) challenge, and successfully comply with GDPR requirements, large-scale organizations that process wide volumes of personal data may want to benefit from breakthrough solutions like Ævatar’s. Interoperating with leading industry personal data processing environments and leveraging IBM solutions for data discovery and classification such as Information Analyzer and StoredIQ, the Ævatar solution suite seems to be, as of now, unique in that it combines IAM client and server components that are “by-design” GDPR-compliant.
What is “MyÆvatar”?
At the client/user level, a mobile IDwallet app called “MyÆvatar” empowers individuals to enroll, as a self-service, a variety of public or private credentials. These credentials include, among others, state-owned IDs, a driver’s license, one or more banking cards or a corporate badge for secure physical access, as well as a selfie or other bio-based identifiers used for match-on-card (MoC) identification and MFA-enabled remote access sessions. Following user enrollment, ID credentials are securely provisioned by their owners to GDPR enforcement authorities—that is, registered trusted third parties (TTPs). After receiving the IDs, the TTP will cross-check ID credentials and return them to the ID owners with a certified, GDPR-compliant, official endorsement of their self-sovereign ID, also known as their “ævatar.”
At the server and security layer, the Ævatar solution includes an API that interoperates with market-standard IAM and privacy data management back-end environments, including IBM Identity Governance Intelligence solutions. At stake is to streamline the process—in the most convenient, cost-efficient and confident manner—for future users requesting access to their personal data. The API interoperates with organizations’ back-end, GDPR-compliant data privacy management capabilities. These capabilities will include, among others, strong user authentication, user consent, data portability, right to be forgotten and so on, along with the need for secure provisioning and hosting of SaaS-managed, end-user personal data storage capabilities.
As a result, Ævatar’s solution offers unique benefits. Provisioned to end users in a push-or-pull manner, the Ævatar IDwallet securely links end-users’ ID credentials in a chain, which is required for next-generation, MFA-empowered “privacy by-design” systems, applications and services. “Looking forward, ævatars may smoothly replace both our legacy passwords or MFA tokens used today for remote access to eCorp, eBanking or eGov resources,” says David Robert, co-founder and CEO of Ævatar.coop. The truth of the matter is that, beyond its “by-design” GDPR compliance, Ævatar offers a low TCO per “ævatar” (some may call it a “GDPR userID”) enrollment, something to be thoroughly assessed when organizations select solutions that must scale with very large GDPR user populations.
GDPR, as we all know, is a very complex set of regulations. Leveraging solutions like Ævatar’s (@MyAEvatar) will allow our clients to adopt faster, and in a more automated way, a set of capabilities required to become a GDPR-compliant organization. You can let me know what you think by using the comments feature below.
Worldwide Business Partner Sales Leader
Information Integration and Governance
Special thanks to Frederic Engel, GDPR consultant and innovative solutions strategist for Ævatar, who helped co-author this blog.