Go Beyond Schrems II Compliance - Protect Customers with Layered Security


Schrems II and What it Means for Protecting Customer Data

Customers are taking an increasing interest in how their data is managed, secured, and used. Data security and privacy are no longer just about meeting regulatory compliance, but also about building trusted relationships that enable customer loyalty and retention. This, in part, drove the privacy activism movement led by Maximillian Schrems, who in 2015 and 2020 challenged the legality of Facebook sharing his personal data resident in Ireland with the company headquarters in the U.S.

Schrems argued that data transfers between the two countries failed to provide "adequate protection" for his personal data, thereby putting data at risk of interception and violating the General Data Protection Regulation (GDPR) as well as the Privacy Shield Framework. The resulting Schrems II ruling requires organizations and service providers to assure that adequate controls are provided to protect customer data and their privacy.

Cross-Border Data Flows are Critical to Business Growth

With over 65% of organizations transferring data outside the European Economic Area (EEA), this is fast becoming a global issue impacting organizations in many regions, including the UK, Australia, and the U.S. Requiring organizations to localize data hinders their ability to accelerate business growth and leverage global third-party technologies needed to stay ahead of the competition. The good news is that the U.S and EU recently announced they are working on an agreement for a Transatlantic Data Privacy Framework. But what can organizations do today to provide better protection for their customers and get ahead of the next privacy regulation coming their way — all without impacting business?

The Way Forward: Protecting Customers with Modern CIAM Capabilities

Identity is the front door to your organization, informing your customers' early impressions of your business. Making the right decision about how data is secured and where it's stored is more important than ever. As your ecosystem moves to embrace the cloud and hybrid IT, you will invariably be asking where identity data is stored.

Safeguarding personal data requires organizations to have a layered approach to security that starts with a strong Customer Identity and Access Management (CIAM) platform that can manage, secure, and store data in the region of their choice. While there are many CIAM offerings in the market, most lack the design and architecture needed to align with emerging data protection and privacy regulations.

So how can a modern CIAM architecture help you address data security and privacy requirements?

  1. Security and privacy by design: Modern CIAM delivered as SaaS are architected for security, privacy, and data sovereignty. They ensure that data resident in the cloud is secured, readily available, and isolated from other customer data (or tenants) to minimize the risk of a cyber breach and provide protection from unauthorized access. Modern CIAM also enables you to deploy access configurations and entitlements that enforce least-privileged access to your identity data.
  2. Regional data isolation: Modern CIAM provides you with a choice of globally distributed data centers and delivers the resilience, performance, and scalability critical to growing your business. It enables you to isolate data residency within the region(s) of your choice to ensure compliance with local data protection and residency requirements, while being able to accelerate business growth.
  3. Secure data at rest and in transit: Ensuring your customer data is encrypted across your on-premises infrastructure is standard practice. But as you move to the cloud, you will need to ensure data is encrypted at rest and in transit with standard cryptographic technologies. Modern CIAM solutions that isolate identity data in the cloud mitigate the "nosy neighbor" effect and the ability of other customers and third-parties to gain malicious access to your identity data, thereby reducing the risk of account takeover (ATO) attacks.

The ForgeRock Identity Cloud provides security and privacy by design through full tenant isolation, data sovereignty with regional isolation across the globe, and robust data encryption to ensure that both the storage and transmission of data is fully compliant with the Schrems II ruling. This helps you to reduce regulatory risks and compliance costs, while strengthening customer privacy and trust. Your customers deserve better protection. Learn how ForgeRock can help you, today.