GDPR – General Data Protection Regulation

GDPR is aimed to protect all EU citizens from privacy and data breaches, replacing Data Protection Regulation (adopted in 1995) om 25 May 2018 after two-year transition period. The main issue of resolution is assumption that user is owner of his personal data and has full control over them during the whole period of data processing.

Types of data under GDPR regulation:

  1. Identity information (name, address, id numbers)
  2. Web data (location, ip address, cookie data, RFID tags)
  3. Health and generic data
  4. Biometric data
  5. Racial or ethnic data
  6. Political options
  7. Sexual orientation

GDPR – Key changes

INCREASED TERITORIAL SCOPE – GDPR will apply to all companies processing the personal data of data subjects residing in the European Union, regardless of the company’s location.

PENALTIES – It is clearly stated that a company not following the regulation “can be fined up to 4% of annual global turnover or €20 Million (whichever is greater)”. GDPR also lists a lot of circumstances where the fines can be applicable like: not notifying about data breach within given time frame.

LAWFULNESS OF PROCESSING – In other words if you do not have a legal reason to process personal information you need to acquire owners consent to do that. Remember that storing data is a special case of processing as well.
PRIVACY BY DESIGN – In GDPR world data privacy is a fundamental notion that needs to be considered starting at the design stage of any data processing entity/system. Moreover you need to understand that the user is the owner of the data that you may be processing.


As per GDPR in order to process personal data one needs to have a lawful reason of processing. Those may be:

  • Consent
  • Contract
  • Legal obligation
  • Vital interest
  • Public task
  • Legitimate interests

In practice this means that in order to store and process personal information one needs to have at least data subjects consent for this.  Moreover GDPR defines precisely what characteristics should a consent have. Due to that we have built a sophisticated Consent Management Module which covers and exceeds GDPR requirements.

Please find highlight of them below:


Needs to be clear and distinguishable.
CMM provides fine level of granularity by implementation of multi-level consents. If required you can configure consents depending on:

  • user type/role
  • application version
  • business unit (territory)
  • language
  • data set (profile attributes)
  • processing activity
As easy to withdraw as to give.
On top of full set of consent management APIs, CMM provides centralized consent management panel. This tool supports data administrators as well as provides your customers / users with self-service capability of consent management. Users can view all consent notices concerning them, give consents and revoke any of previously given. If you don’t want to embed consent management in all of your applications you can simply use the panel.
Defines scope of data and purpose of processing.
To define the scope of data and purpose in the consent notice does not seems like a challenge and it is not but we like to think one step ahead. CMM gives you unique possibility to bound consents with profile attributes (on configuration level) and build custom behaviors, processes, validations and reporting leveraging this relation. Image a report for your data administrator that shows all consents that are the lawful reason of user email processing or think about automatic data erasure when a user revokes his last consent allowing you to store his address information.
Tracked and auditabe
Since consents may be your main purpose of data processing it is crucial to fave full control over their status and possibility to check its history. CMM not only gives you a set of tools to manage consents but also tracks and records all change events concerning them in the system. Moreover consent notices (consent text) is also maintained in CMM, versioned and changes are being tracked so that at at every given point of time you can find out what action has been taken and what was the consent notice at that time.
The level of granularity of consent in an organization is a business decision. We provide you with all the possibilities that you need to do it your way.


Here is how we support Data Lifecycle management in the context of GDPR:

Data Minimization

Thanks to configurable user profile, subscription level attributes, progressive profiling custom widgets and others, you can configure UMM in such a way that it requests and processes only the data that is required. APIs that share personal information with integrated applications are flexible in that context as well.

Right to Access

The data subject has a right not only to acess his/her data in order to verify it but also to obtain information on where is the data processed, what are the purposes and categories of data, is there automated decision making involved and many more. In other words whenever your CIAM shares any information with any other system it needs to be crystal clear what data has been shared for which purpose and with which of the systems. This is exactly what UMM empowered by CMM allows you to do.

Data Portability

As per the regulation all data needs to be exportable in a “machine readable format” so that data owner can transport it. UMM provides capability of profile data export in JSON format which can be done by an administrator. There is a possibility to trigger automated export actions in integrated application if needed.

Data Residency

Control over the physical place where personal data is stored and processed is important not only because of GDPR. There is a number of regulations that force international companies to build regional data centers and control data flow between them if any. UMM fits into the model perfectly by providing cloud data centers all over the world and in addition to that giving you possibility to host the solution on premises in local data centers of your choice.

Right to be forgotten

Meaning that per request you need to erase all the personal data of the requester. UMM provides data erasure mechanism but on top of that it also handles data erasure from backups and is capable of notifying external systems and integrated applications about the erasure request. If applications in your domain do can not handle automatic erasure (or you simply do not want them to) you may always leverage a ticketing system or email/text message notification to trigger appropriate actions.

Right to rectification

Data subject shall have the right to have his incomplete or inaccurate data rectified. UMM delivers full set of tools for administartors and centralized user profile management panel if it is convenient to provide your customers with self-service for personal data management.