In this series we look at practical tips on how to configure the Ubisecure Identity Platform for GDPR compliance. This first entry deals with GDPR consent management, and how your organization can move towards compliance using just a few minutes of time tweaking the configuration files.
Under the GDPR, and in other contexts, when collecting consent, it is important that your organization is clearly and specifically named at the time of collecting consent.
It is also important to inform your users that they have the right to withdraw consent, typically at the time of collection.
User consent can be collected in various places, either using the user interfaces provided by Ubisecure products, or in the applications which call our APIs for managing consent. The choice is yours – it depends on your implementation decisions.
Customizing the user interface for GDPR consent management (collection)
When using the Ubisecure user interfaces, include a mention of how to manage consent and about the right to withdraw consent in the user interface using the following tags in the template file of SSO.
Modify the configuration files in the following directory:
C:\Program Files\Ubisecure\ubisecure-sso\ubisecure\custom\messages
or
/usr/local/ubisecure/ubisecure-sso/ubilogin/custom/messages
uas.properties
CONSENT_LOGIN_TEXT = The service you are about to access requires your personal information. In order to XXXXX (purpose), we, Example Company, require YYYYY (data). You may withdraw this consent at any time. CONSENT_LOGIN_ACCEPT_TEXT = I approve the transfer of my personal information. (customize as required) CONSENT_HELP_TITLE = Help CONSENT_HELP_TEXT = For more information regarding your personal data, to manage your decisions about storage and processing of your data and to learn how to revoke processing consent, please refer to the following link: CONSENT_HELP_LINKS = < a href="LINK" >Managing my data < / a >
For CustomerID, modify the configuration files in the following directory:
C:\Program Files\Ubisecure\customerid\application\custom
or
/usr/local/ubisecure/customerid/application/custom
For example:
messages_en.properties
registerWizard.inputuser.summary=Please tell us a little bit about yourself. \ Mandatory information for operation of the service is marked with an asterisk. \ The information you give will be processed by Example company to provide you XXX (purpose). \ Your choices and data can be edited at any time using the account management pages.
Any role names and role descriptions pertaining to user consent.
roles.properties
en.friendlyName.SMSMarketingConsent = SMS Marketing en.description.SMSMarketingConsent = I allow Example Company \ to send me SMS marketing messages.\ This consent can be revoked at any time through the self-service page.
Remember the use of mandates in consent for authorizing third-parties to do things on your behalf.
Reminders in email communication
It is also a good idea to mention and remind the user specifically in the email messages sent by the system.
mailmessages.properties
email.inviteUser.role.message = (existing message). \n\nPlease note that you can always manage your personal information and decisions regarding the processing of your data via the account management page at https://example.com/mydata\n (rest of message)
Review which other messages should contain references to consent management. One example is email.pendingEmailRegistration which is sent to the email address of someone completing a registration form.
For each message, localization to each language used is required. Refer to the product documentation for localization instructions.
Proving consent collection
In addition to user actions logged in the system logs, it is important to be able to show what the user experienced at the time of collection in the event of audit or dispute situation. For this reason, it is important to commit any changes made to your revision control system in order to maintain a record of the exact text configured at a given point of time.
Summary
To comply with data processing legislation, such as the GPDR, use-case specific customer configuration is required. Changes are made in configuration files and need to localised for each language used. The scope of changes depends on the products used and the implementation approach. Consider carefully the appropriate place in the end-user journey to present consent information. Think carefully about the language used in order to comply with all of the requirements of the legislation applied in your use case.
Customer Identity and Access Management solutions can help your organization comply to the GDPR. Contact us now to hear more.
About The Author: Keith Uber
Keith is VP Customer Success at Ubisecure.
His specialities include: Identity and Access Management, identity federation, authorisation, access governance, authentication policy and technology, and privacy.
More posts by Keith Uber