GDPR Checklist for a IDAAS Solution — Part 2

4 min readOct 22, 2022

In the earlier blog we got a good understanding about GDPR, PIIs and why IDaaS solutions needs to worry about that. Here we will discuss on the checklist that a IDaaS solution needs to complete in order to be GDPR compliant.

Here I have categorised these requirements in to three parts

Organisational Requirements

DPO (Data protection officer)

As per GDPR documentation you need to appoint a DPO for your organisation if your organisation satisfies below 3 concerns.

You regularly or systematically monitor individuals or process special categories of data

Usually this kind of monitoring is happening in search engines, kind of applications to send promotional messages suggesting services or products. In IDaaS solutions this doesn’t happen usually. But there can be cases such that these solutions monitor users behavior to identify how much time that the user remains on the platform. What are the features that they use more often, Based on these information IDaaS solutions create promotional emails and improve user experience.

This processing is a core business activity

Without processing this data IDaaS solution cannot make a decision on the authenticity of an user. Hence yes it is a part of core business activity

You process data on a large scale

The term large scale processing is further described in [2]. To be defined as a large-scale processing there is a threshold that needs to be exceeded. In the IDaaS case this is information of 50000 people. If your IDaaS solution caters more than 50000 users you need a DPO.

According to the documentation [3] The primary task of a DPO is making sure the IDaaS solution stakeholders and its users know about data protection rights, obligations and responsibilities and raise awareness about them. Also DPO is responsible of handling queries and complaints from users.

2. Privacy Policy

Provide a privacy policy that clearly states the following

How you collect personal data
Why you collect personal data
What you are using the personal data for
How long you will keep the personal data
Which rights the user has

Data Related Requirements

Data Residency

When it comes to PII data the European commission clearly states that personal data should reside in a country that has adequate level of protection. They have announced a set of non EU countries with such protection [4]

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland , the United Kingdom under the GDPR and the LED, and Uruguay as providing adequate protection.

Data processing agreements with third parties

Under the GDPR, a DPA document is mandatory whenever a person or organization gives personal data to a third-party service provider for a collaborative service. Any parties that act as data processors must sign DPAs with the data controllers.

These data processing entities may include , Email Service Providers, SMS service providers, billing services and support services

Maintain Update Download Personal data

When it comes to an IDaaS solution there can be several types of personal data.Lets assume there is a company named Ceytan. Ceytan has employees and customers in the EU region. Ceytan needs to manage its customer and employee identity and access management using an IDaaS solution.

Ceytan technical manager picks a IDaaS solution and creates an account in that and gets access to dashboards.

Then the personal data of Ceytan can be categorized into 3 parts.

Personal data of Ceytan technical manager
Personal data of Ceytan employees
Personal data of Ceytan customers

Each of these users has a right to view their personal data, edit your personal data and download them as a digital format.

Request to delete personal data

In the earlier topic we discussed the types of personal data that needs to be handled from an IDaaS solution. There can be situations where any of these customers want to remove all their digital traces. In such cases the user has the right to request for user deletion. In this case all the PIIs related to this user such as emails, credit card details, IP addresses, addresses, names, everything needs to be deleted from databases and logs, even backups.

Cookie Requirements

As per the GDPR[5] documentation they have categorized cookies based on purpose, duration and provenance.

For our use case the most important categorization is the categorization based on purpose. They have identified cookies that need to use the features of your IDaaS service as strictly necessary cookies without which the site would not work. This type of cookie does not collect any personally identifiable information about you and does not track your browsing habits.

In the IDaaS context affinity cookies, session cookies can be categorized to this category. Apart from these cookies all other cookies needs to be well documented with their purpose, with data they collect. Customer consent should be acquired for all cookies except strictly necessary cookies.

Even though customers selected not to provide consent for some of the cookies they should still be able to use the service with some limited functionality. This consent needs to be stored in the IDaaS solution for future use.

There should be a mechanism provided to withdraw the consent as easy as providing the consent.

Conclusion

Above are basically the requirements that you needs to satisfy if you need your IDaaS solution to cater EU regional customers.