Does the ForgeRock solution support "privacy by design" and consent mechanisms?
This article provides answers to frequently asked questions on "privacy by design" and consent mechanisms when evaluating the ForgeRock solution.
- Does the solution support a privacy and consent framework based on the UMA 2.0 standard?
- Does the solution provide users with fine-grained controls to share and audit data about themselves, their devices and things?
- Does the solution support the right to be forgotten that adheres to regulations such as GDPR?
- How does the solution administrator configure multiple versions of consent documents and force customers to accept these versions?
Does the solution support a privacy and consent framework based on the UMA 2.0 standard?
Yes. ForgeRock User-Managed Access (UMA) is a privacy and consent solution based on UMA 2.0 that helps address compliance with consent requirements of privacy laws. Through UMA capabilities, ForgeRock allows end users to manage - grant and withdraw - consents and permissions in a fine-grained fashion over time from a convenient central console across multiple data services. UMA capabilities are available in the Access Management component (authorization server), Identity Gateway (resource server), and through a Profile and Privacy Management dashboard. This user-centric approach addresses regulatory concepts of consent and data minimization, such as General Data Protection Regulation (GDPR).
UMA capabilities also enable user control of access to APIs. The approach of protecting APIs that directly deliver data to processors without central aggregation addresses the GDPR concept of data accuracy.
ForgeRock can also capture user consent to Terms and Conditions (T&Cs) and privacy notices, at both account registration time and at authentication time, and enables users to manage account information over time.
UMA is not currently available in Identity Cloud deployments.
Does the solution provide users with fine-grained controls to share and audit data about themselves, their devices and things?
Yes. ForgeRock provides a comprehensive regulation-ready Profile and Privacy Management dashboard. Through this dashboard, end users can manage their own profile details, manage applications that they have consented to, manage how they choose to share data and with whom, and manage what personal data is shared with external databases such as marketing automation platforms. It also addresses many other user regulatory requirements, including giving users the ability to save their profile data locally and the right to delete their profile.
See Profile and Privacy Management Dashboard product brief for further information.
Does the solution support the right to be forgotten that adheres to regulations such as GDPR?
Yes. ForgeRock includes self-service functionality that allows end users to manage their information and, where appropriate, permanently delete their accounts. This functionality accommodates a user's right under regulations, such as GDPR, to rectify and to be forgotten.
Additionally, ForgeRock can be configured to scan for data that is considered stale and to modify, remove or trigger a workflow to prompt a user to update the information.
Upon receiving a user's request to delete their data, various actions can be started. First, the user profile can be marked accordingly. Relevant user data is then identified via connectors to databases and applications. Subsequently, data can be removed as required, scheduled for a future date or managed by an approval workflow. This allows organizations to manage personal data as legally required (often some data may need to be kept for security, audit or dispute handling).
How does the solution administrator configure multiple versions of consent documents and force customers to accept these versions?
ForgeRock allows administrators to set up multiple terms and conditions (T&Cs) for an environment and specify different T&Cs for different user journeys. They can also be localized per language requirements. Terms and conditions nodes within a user journey are not optional. Users can view them and must accept them by default before progressing.
Go Beyond the Regulations and Build Trusted Relationships
Identity Cloud documentation:
Identity Platform documentation: