Privacy and GDPR

Introduction

All digital solutions must comply with privacy-related regulations such as GDPR. Therefor privacy design must be part of the implementation of Authway by IRM.

Examples of concerns that must be considered for a privacy design:

  • Consent management: organisations must obtain explicit consents from individuals before collecting and processing data.
  • Access control: great handling of users access and permissions.
  • Data minimization: an organisation should limit the amount of personal data they collect and process to only what is necessary for a specific purpose.
  • Data protection: an organisation is required to implement appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction.

There are many parts to this design, for example how applications use PII data from Authway (outlined in Developer guide) and below is description of built-in clean up tasks that are run automatically if turned on. Consider which of these tasks that would be good to use for your situation.

Remove user audit information

This task is always active in all Authway instances and by default audit information older than 365 days are removed. We can configure for how many days the audit information should be kept.

Remove inactive organisations

The task will remove an inactive organisations which is necessary for GDPR reasons since some organisations can include personal information.

An inactive organisation is defines as an organisation that:

  • does not have any users
  • does not have any persons
  • does not have any subsidaries

The following options can be configured for this task:

  • Minimum age: The number of days that should pass before a newly created organisation is evaluated as inactive.
  • Kind of organisation: can be only subsidiaries, group mothers (tenants) or both.

Remove inactive users

The task will remove an inactive user since GDPR does not allow an organisation to keep PII data longer than necessary.

The following options can be configured for this task:

  • Maximum number of days since last sign-in. Default 365 days.
  • Type of organisations to search for inactive users. Can be Private persons, Organisations or Both.
  • Import date: can be used to not remove users that are created before an import date.

Remove users that have never signed-in

The task will remove a user that has never signed-in. This is especially useful to remove users that have created accounts but never verified e-mail/phone number and therefor haven’t been able to sign-in (when verification is required). In those situations the user account should be removed earlier than the user is considered inactive.

The following options can be configured for this task:

  • Minimum age: The number of days that should pass before a newly created user will be removed.
  • Type of organisations to search for inactive users. Can be Private persons, Organisations or Both.
  • Import date: can be used to not remove users that are created before an import date.

Remove users without any permissions (belong to any group)

The task will remove a user that does not belong to any group and therefor does not have any permission to access anything.

The following options can be configured for this task:

  • Maximum number of days since last sign-in. Default 365 days.
  • Type of organisations to search for inactive users. Can be Private persons, Organisations or Both.
  • Import date: can be used to not remove users that are created before an import date.