About GDPR compliance
The General Data Protection Regulation (GDPR) is a new legal framework formalized by the European Union (EU) in 2016. This regulation comes into effect from 28, May 2018, and can affect any organization that processes Personally Identifiable Information (PII) of individuals who live in Europe. Organizations that fail to demonstrate GDPR compliance are subjected to financial penalties.
WSO2 Identity Server (WSO2 IS) is designed based on privacy best practices, and is fully compliant with GDPR. GDPR compliance in your IAM and API security spaces can be completely fulfilled with WSO2 Identity Server. This section outlines the major GDPR related features that WSO2 Identity Server supports, and also provides necessary references to specific concepts within the section.
Do you want to learn more about GDPR?
If you are new to GDPR, we recommend that you take a look at our tutorial series on Creating a Winning GDPR Strategy.
Part 1 - Introduction to GDPR
Part 2 - 7 Steps for GDPR Compliance
Part 4 - GDPR Compliant Consent Design
Privacy by design and privacy by default
As a leading open source Identity and Access Management (IAM) product, WSO2 Identity Server has been designed and architectured based on well known Secure by Design and Privacy by Design principles. With the formalization of GDPR in 2016, the product architecture of WSO2 Identity Server has been reviewed and fine-tuned accordingly to support privacy principles in an efficient manner, with less overhead to product performance and user experience. WSO2 IS provides all privacy features as default options and uses up-to-date algorithms and frameworks for all cryptographic operations such as data encryption, signing, and hashing etc.
Consent identity management
Generally, identity data are scattered over several systems within an organization. In order to reach GDPR compliance, it is required to review, redesign, and modify each of these systems. This is a maintenance overhead and consumes a significant portion of annual IT budget and requires a specialized set of skills for continuous review and modification process.
Moving to a GDPR compliant IAM solution, so that all identity profiles are managed centrally and share only required data with other systems in an on-demand manner through well-known security standards such as SAML, OpenIDConnect greatly reduces maintenance overhead discussed above and ensures the overall system architecture more secure and privacy-friendly. Additionally, having a centralized identity system simplifies implementations of some of the GDPR features such as the right to be forgotten, right for data portability etc.
Consent lifecycle management
GDPR defines consent as “Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. WSO2 IS fully supports for consent management in the context of IS activities and can be used to manage consents from 3rd party applications via secure RESTful consent management API.
When WSO2 IS is configured as the Identity Provider(IdP), all the shared user attributes (usually as security tokens such as SAML, IDToken, JWT etc.) with service providers (SP) are based on user consent.
- Gets user consent when WSO2 IS is storing user attribute profiles based on self-sign up portal or security token received from a federated identity provider.
The WSO2 IS user portal facilitates users to review the already given consents and revoke them, if necessary.
Secure RESTful consent management API can be used to integrate read, modify, and delete consents managed by WSO2 IS.
- Secure RESTful consent management API facilitates using of WSO2 IS as the consent lifecycle management solution for 3rd party applications such as web and mobile applications.
For more information about consent management with WSO2 Identity Server, see Consent Management.
Consent receipt specification
WSO2 IS also supports the Consent Receipt Specification from the Kantara Initiative.
Right to be forgotten
This is one of the most important individual rights defined in GDPR. In simple terms, an individual can request to completely remove his/her personal data from the processing organizations. According to GDPR, unless there is a clear and valid legal background, processing organizations should fulfill such forget me requests.
WSO2 IS provides an out-of-the-box privacy toolkit to remove all identifying data from related databases and log files. This toolkit can be run manually by organization administrators or can be automated so that whenever a user profile gets deleted from the system, all the related PII data gets removed from the system as well.
By considering performance overheads and automation flexibility, this privacy toolkit is run separately from the WSO2 IS runtime. The privacy toolkit is not just limited to the current version of WSO2 IS and it can be used with any new or old WSO2 platform product.
When it comes to Right to be forgotten, WSO2 IS supports the following features:
- Delete the user by “Identity Admin” of the tenant. This will remove the user from any underlying “Read/Write” user store (JDBC/LDAP/AD).
- Anonymize any retained traces of the user activity.
- Log Files
- Analytics data, related to Login, Session, Key Validation, etc.
- Key/Token data held at the Database layer.
- Delete any unwanted data retained in the Database(due to performance reasons)
- Token(s) issued,
- Password History information.
Additionally, WSO2 Privacy Toolkit can be extended to clear privacy data in any relational database or any textual log file but that is out of the scope of this document.
Exercising individual rights
GDPR defines a set of strong individual rights that every data processing organization should facilitate for their users. The Self-care User Portal available with the WSO2 Identity Server is equipped to exercise these individual rights by users themselves. Any organization that deploys WSO2 IS will have Self-care User Portal by default.
Following features are supported as part of Self-care User Portal:
- The right of transparency and modalities - Personal data processing activities carried out by the organization, their purposes, and time-limits and what data are stored can be made transparent to users via the IS Self-care User Portal.
- The right of access - Via the IS Self-care User Portal, users can access and review what personal data are stored in the processing organization.
- The right to rectification - Individuals can rectify incorrect data on their user profiles by themselves by logging into Self-care User Portal.
- The right to restrict processing - Individuals can make restrictions on their user profiles by themselves by logging into Self-care User Portal. Generally, this is done through by revoking an already given consent but can be extended to other usages as well.
- The right to be forgotten - Individuals can remove their profile data or can be extended to send forget-me requests via the Self-care User portal.
- The right for notification obligation - The Self-care User Portal can be extended to act as the notification center for individuals.
- The right to data portability - Individuals can download their user profile in a structured, commonly used and machine-readable JSON document format through the Self-care User Portal.
- The right to object - The Self-care User Portal can be extended to act as a communication channel to make objections on processing.
- Rights in relation to automated decision making and profiling - The Self-care User Portal can be extended to act as a communication channel to make objections on automated decision making and profiling.
Additional features supported by the self-care user portal:
- Revoking consent for all or specific attributes
- Giving an expiry date for a consent
Personal data portability
Ability to download individual’s user profile as a structured, commonly used and a machine-readable format is a requirement of GDPR. In WSO2 IS, it is possible to use one of the following options to download a user profile as a structured JSON document.
By logging into the Self-care User Portal
Invoking the personal data export API(secure RESTful API)
Additionally, GDPR encourages facilitating user profile provisioning from the data processing organization to another organization based on the individual's requests, automatically. The SCIM 2.0 APIs in WSO2 IS can be used to fulfill this requirement.
For more information, see Using the Personal Information Export REST APIs.
Personal data protection
WSO2 IS is subjected to regular reviews and updates for latest versions of the crypto algorithm and latest versions of crypto frameworks. These security updates are provided as WSO2 WUM services. Additionally, a number of data encryption and protection features are supported by WSO2 IS.
Encryption of personal data is supported using the following:
- OAuth2 Access token
OAuth2 Refresh token
- SAML Responses
Supported hashing features for personal data:
- User credentials
GDPR also mandates processing organizations to make sure only authorized people from the stuff based on “need to know” basic can access to user profile data from individuals. Access control features supported in WSO2 IS such as role-based access control (RBAC), attribute-based access control can be used to cater this requirement.
For more information on role-based access control, attribute-based access control, and XACML, refer Access Control and Entitlement Management page.
The cookies used
This maintains the session data in order to provide a good user experience.
This maintains some messages that are shown to you in order to provide a good user experience.
The “nnnnnnnnnn” reference in this cookie represents a random number, e.g., MSG324935932.
This is the URI you are accessing.
This is to keep your active page in session in order to provide a good user experience.
This identifies the user session.
When a user is authenticated, a session is created and cached. This session's identifier is set in the commonAuthId cookie.
This is to maintain the browser state and to store the OIDC sessions.