Due to the GDPR regulations ForgeRock has identified the following critical areas that would assist in implementing a compliant system. The below identifies what personal data is captured, where that data is stored, when it is stored and who can potentially access the data. It is the implementer’s responsibility to scrub the personal data as necessary to be considered compliant with GDPR regulations.
Since ForgeRock IDM allows the user schema to be customized and linked to outside resources; it is not feasible to identify all the potential Personal Identification Information (PII) that ForgeRock AccessReview can access. It is important to know that any application data that contains PII linked to an IDM user is exposed to the ForgeRock AccessReview application. If the attributes that contain sensitive data are set to displayable, or certifiable, it will be stored at the time of creating the user certification.
Examples: * User Attributes: username givenName sn email * OpenDJ member_address member_ssn
During the creation of a certification campaign or policy violation
When a certification campaign or policy violation is acted upon