Akamai Diversity

The Akamai Blog

How Can Akamai Identity Cloud Help With Regulatory Compliance?

Regulatory compliance related to personal identifiable information (PII) is continuously being enacted around the world as the amount of breaches and data abuse continues to grow. Understanding the variances between the many different privacy and data protection laws can be challenging for companies -- from the EU's General Data Protection Regulation (GDPR), to California's upcoming Consumer Privacy Act (CCPA), Australia's Privacy Act, to Japan's Act on the Protection of Personal Information (APPI), or Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) -- each regulation has its own nuances.

We often get asked by our customers about specific parts of the regulations, and how Akamai can help, so I've put together a list of general types of requirements as they can be found in many of the major data protection and privacy regulations around the world. Each type of requirement is described briefly, followed by how Akamai Identity Cloud -- our customer identity and access management (CIAM) solution -- can play an integral role in a business' data governance program in support of privacy compliance.

CIAM, a systematic approach paired with dedicated software solutions, has been critical in helping brands collect and manage customers' personal data in a way that ensures security and compliance with regulatory measures. CIAM enables businesses to utilize customer data within their marketing automation and content management systems so that brands can continue to create highly-personalized customer experiences while at the same time satisfy regulatory requirements and their customers' growing desire for data privacy.

I hope this guide is a useful tool for those trying to navigate the challenging world of regulatory compliance related to privacy and data protection laws.

Understanding regulatory privacy compliance requirements

Consent

Organizations often must obtain consent from end users prior to collecting and processing their personal data for certain purposes. Requirements for obtaining valid consent and when such consent is required vary among applicable regulations.

How Identity Cloud can help

Identity Cloud supports user experiences (forms) and design patterns to ask for consent at the time of account registration, as well as after account login at any stage of the customer journey. User experiences are fully customizable and can support both opt-in and opt-out scenarios. End users can be enabled to view, modify, and revoke consent on a self-service basis at any time.

For regulations that have age-related consent requirements, Identity Cloud provides age gating functionality to protect against acceptance of personal data from children.

Consents and preferences are stored in an auditable fashion alongside user data as part of the customer data record. Like all user data, this data is encrypted in motion and at rest.

Right to object

Requirements that entitle a data subject to object to the use of their personal data for certain types of data processing, such as direct marketing or statistical analysis.

How Identity Cloud can help

Identity Cloud provides a customizable preference center that allows end users to select or deselect what types of data processing they approve.

This user interface and design pattern is integrated with the registration and login user experience where end users can select the types of data processing to which they agree, and take other actions on their profile. Preferences are stored alongside user data as part of the customer data record. Like all user data, this data is encrypted in motion and at rest. Preference settings can also be updated via API from any client-hosted page.

Right to access

Many laws provide the data subject with the right to access, review, and correct the personal data being processed and, in some case, seek additional information about the uses and disclosures of such data. 

How Identity Cloud can help

Identity Cloud provides a customizable preference center, which allows end users to request access to their data. Companies can then act on the request and pull data from Identity Cloud and any other systems that hold customer data. It is possible to have Identity Cloud trigger an event to start the process to collect and deliver the data needed to satisfy the regulatory requirement. Identity Cloud's own customer data can be provided in JSON, an open-standard file format that is both human- and machine-readable.

Access to customer profile data can be granted to representatives of the business in a manner consistent with the business' own data management policies. Identity Cloud allows for fine-grained, scoped access control to limit data access based on roles and attributes, and down to the level of individual fields of the data record.

Right to erase or delete personal data

Often referred to as the "right to be forgotten", many laws include the right for data subjects to have their personal data erased and have it no longer disseminated to third parties or exposed to third party processing.

How Identity Cloud can help

Identity Cloud allows secure (not restorable) deletion of data records, including deletion from backups, to help prevent the accidental sprawl of toxic data.

Data portability

Requirements that companies must provide data subjects with copies of their data in a commonly used, machine-readable format, allowing users to transfer their data to another organization without hindrance.

How Identity Cloud can help

Identity Cloud provides a customizable preference center, which allows end users to request a download of their data. Companies can than act on the request and pull data from Identity Cloud and any other systems that hold customer data. It is possible to have Identity Cloud trigger an event to start the process to collect and deliver the data needed to satisfy the regulatory requirement. Identity Cloud's own customer data can be proivded in JSON, an open-standard file format that is both human- and machine-readable.

Access to customer profile data can be granted to representatives of the business in a manner consistent with the business' own data management policies. Identity Cloud allows for fine-grained, scoped access control to limit data access based on roles and attributes, and down to the level of individual fields of the data record.

Security

Companies must implement data security safeguards appropriate to the risk to ensure that data is not inadvertently or wrongfully accessed, modified, lost, destroyed, or disclosed.

How Identity Cloud can help

Akamai has implemented appropriate safeguards to protect the personal data it processes and the privacy of the affected data subjects, including safeguards that are specifically noted in certain regulations, such as encryption of personal data in transit and at rest.

Identity Cloud provides strong user authentication, sophisticated protection mechanisms against network-based threats, all protected behind Kona Site Defender, Akamai's web application firewall. Identity Cloud maintains and is audited or assessed for certification and compliance with major security assurance programs, including: ISO 27001:2013, ISO 27018:2014 (PII Protections in the cloud), SOC 2 Type II (all five Trust Services Criteria: Common Criteria/Security, Availability, Confidentiality, Processing Integrity, and Privacy), HIPAA/HITECH (protection of healthcare information at rest and in transit) Security Rule Compliant, Cloud Security Alliance (CSA STAR Level 2), U.S.-E.U. Privacy Shield Framework.

Akamai has implemented a comprehensive Information Security Policy and Program to ensure that it has in place and follows appropriate technical and organizational measures to protect the security and confidentiality of personal data.  Akamai trains all employees about their confidentiality, privacy and information security obligations as part of their new employee training and provides regular training thereafter.


Leave a comment