About GDPR compliance

The General Data Protection Regulation (GDPR) is a new legal framework formalized by the European Union (EU) in 2016. This regulation comes into effect from 28, May 2018, and can affect any organization that processes Personally Identifiable Information (PII) of individuals who live in Europe. Organizations that fail to demonstrate GDPR compliance are subjected to financial penalties.

WSO2 Identity Server (WSO2 IS) is designed based on privacy best practices, and is fully compliant with GDPR. GDPR compliance in your IAM and API security spaces can be completely fulfilled with WSO2 Identity Server. This section outlines the major GDPR related features that WSO2 Identity Server supports, and also provides necessary references to specific concepts within the section.

This section also includes an /wiki/spaces/IS560/pages/31818567 page that can give you more specific and direct answers to any question you may have on GDPR as well as on GDPR compliance that WSO2 offers.

Do you want to learn more about GDPR?

If you are new to GDPR, we recommend that you take a look at our tutorial series on Creating a Winning GDPR Strategy.

Part 1 - Introduction to GDPR
Part 2 - 7 Steps for GDPR Compliance
Part 3 - Identity and Access Management to the Rescue
Part 4 - GDPR Compliant Consent Design

For more resources on GDPR, see the white papers, case studies, solution briefs, webinars, and talks published on our WSO2 GDPR homepage. You can also find the original GDPR legal text here.

Privacy by design and privacy by default

As a leading open source Identity and Access Management (IAM) product, WSO2 Identity Server has been designed and architectured based on well known Secure by Design and Privacy by Design principles. With the formalization of GDPR in 2016, the product architecture of WSO2 Identity Server has been reviewed and fine-tuned to accordingly to support privacy principles in an efficient manner, with less overhead to product performance and user experience. WSO2 IS provides all privacy features enabled in the product as default options, and uses up-to-date algorithms and frameworks for all cryptographic operations such as data encryption, signing, and hashing etc.

I want direct answers to my question

Didn't find a proper answer related to GDPR & WSO2 products from this page OR Don’t want to go through the complete documentation? Visit our GDPR FAQ page.

Consent identity management

Generally, identity data are scattered over several systems within an organization. In order to reach GDPR compliance, it is required to review, redesign, and modify each of these systems. This is a maintenance overhead and consumes a significant portion of annual IT budget and requires a specialized set of skills for continuous review and modification process.

Moving to a GDPR compliant IAM solution, so that all identity profiles are managed centrally and share only required data with other systems in an on-demand manner through well-known security standards such as SAML, OpenIDConnect greatly reduces maintenance overhead discussed above and ensures the overall system architecture more secure and privacy-friendly. Additionally, having a centralized identity system simplifies implementations of some of the GDPR features such as the right to be forgotten, right for data portability etc.

Consent life cycle management

According to GDPR, the consent is defined as “Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. WSO2 IS fully supports for consent management in the context of IS activities and can be used to manage consents from 3rd party applications via secure RESTful consent management API.

It also supports the following features:

When IS is acting as the Identity Provider(IdP), all the user attributes sharing (usually as security tokens such as SAML, IDToken, JWT etc.) with service providers (SP) are based on user consent.
Gets user consent when IS is storing user attribute profiles based on self-sign up portal or security token received from a federated identity provider.
IS user portal facilitates users to review the already given consents and revoke them, if necessary.
Secure RESTful consent management API can be used to integrate read, modify, and delete consents managed by IS.
Secure RESTful consent management API facilitates using of IS as the consent lifecycle management solution for 3rd party applications such as web and mobile applications.

Consent receipt specification (draft)

WSO2 IS also support for Consent Receipt Specification draft from Kantara Initiative.

Right to be forgotten

This is one of the most important individual rights defined in GDPR. In simple terms, an individual can request to complete removal his/her personal data from the processing organizations. According to GDPR, unless there is a clear and valid legal background, processing organizations should fulfill such forget me requests.

WSO2 IS provides out of a box privacy toolkit to remove all identify data from related databases and log files. This toolkit can be run manually by organization administrators or can be automated so that whenever a user profile gets deleted from the system, all the related PII data gets removed from the system.

By considering performance overhead and automation flexibility, this privacy toolkit is run separately from IS runtime. The privacy toolkit is not just limited to the current version of IS rather, it can be used with any new or old WSO2 platform product. Please note that, for older versions of WSO2 products, it is required to download WSO2 Privacy Toolkit from here separately.

When it comes to Right to be forgotten, IS supports the following features:

Delete the user by “Identity Admin” of the tenant. This will remove the user from any underlying “Read/Write” user store (JDBC/LDAP/AD).
Anonymize any retained traces of the user activity.
- Log Files
- Analytics data, related to Login, Session, Key Validation, etc.
- Key/Token data held at the Database layer.
Delete any unwanted data retained in the Database(due to performance reasons)
- Token(s) issued,
- Password History information.

Additionally, WSO2 Privacy Toolkit can be extended to clear privacy data in any relational database or any textual log file but that is out of the scope of this document.

For more information on the topic, refer Removing References to Deleted User Identities

Exercising individual rights

GDPR defines a set of strong individual rights that every data processing organization should facilitate for their users. The Self-care User Portal available with the WSO2 Identity Server is equipped to exercise these individual rights by users themselves. Any organization that deploys WSO2 IS, will have Self-care User Portal by default.

Following features are supported as part of Self-care User Portal:

The right of transparency and modalities - Personal data processing activities carried out by the organization, their purposes, and time-limits and what data are stored can be made transparent to users via the IS Self-care User Portal.
The right of access - Via the IS Self-care User Portal, users can access and review what personal data are stored in the processing organization.
The right to rectification - Individuals can rectify incorrect data on their user profiles by themselves by logging into Self-care User Portal.
The right to restrict processing - Individuals can make restrictions on their user profiles by themselves by logging into Self-care User Portal. Generally, this is done through by revoking an already given consent but can be extended to other usages as well.
The right to be forgotten - Individuals can remove their profile data or can be extended to send forget-me requests via the Self-care User portal.
The right for notification obligation - The Self-care User Portal can be extended to act as the notification center for individuals.
The right to data portability - Individuals can download their user profile in a structured, commonly used and machine-readable JSON document format through the Self-care User Portal.
The right to object - The Self-care User Portal can be extended to act as a communication channel to make objections on processing.
Rights in relation to automated decision making and profiling - The Self-care User Portal can be extended to act as a communication channel to make objections on automated decision making and profiling.

Following additional features are also supported in IS Self-care User portal.

Revoking consent for all or specific attributes
Giving an expiry date for a consent

Personal data portability

Ability to download individual’s user profile as a structured, commonly used and a machine-readable format is a requirement of GDPR. In WSO2 IS, it is possible to use one of the following options to download user profile as a structured JSON document.

By logging into Self-care User Portal
Invoking personal data export API(secure RESTful API)

Additionally, GDPR encourages to facilitate user profile provisioning from the data processing organization to another organization based on individuals requests automatically. SCIM 2 API supported in WSO2 IS can be used to fulfill this requirement.

Personal data protection

WSO2 IS is subjected to regular reviews and updates for latest versions of the crypto algorithm and latest versions of crypto frameworks. These security updates are provided as WSO2 WUM service. Additionally, a number of data encryption and protection features are supported by WSO2 IS.

Supported encryption features for personal data:

OAuth2 Access token
OAuth2 Refresh token
OAuth2 Authorization
ID Tokens
SAML Responses

Supported hashing features for personal data:

User credentials

GDPR also mandates processing organizations to make sure only authorized people from the stuff based on “need to know” basic can access to user profile data from individuals. Access control features supported in WSO2 IS such as role-based access control (RBAC), attribute-based access control can be used to cater this requirement.

For more information on Role-based Access control, Attribute-based Access Control, and XACML, refer Access Control and Entitlement page.

The cookies used

WSO2 Identity Server uses cookies to provide a good user experience. Check out the following table for details.

Cookie Name	Purpose	Retention
JSESSIONID	This maintains the session data in order to provide a good user experience.	Session
MSGnnnnnnnnnn	This maintains some messages that are shown to you in order to provide a good user experience. The “nnnnnnnnnn” reference in this cookie represents a random number, e.g., MSG324935932.	Session
requestedURI	This is the URI you are accessing.	Session
current-breadcrumb	This is to keep your active page in session in order to provide a good user experience.	Session
commonAuthId	This identifies the user session. When a user is authenticated, a session is created and cached. This session's identifier is set in the commonAuthId cookie.	Session
obps	This is to maintain the browser state and to store the OIDC sessions.	Session

Browser not supported