Achieving GDPR Compliance in Heraklion, Crete

The city of Heraklion, capital of the Greek island of Crete, is many things – it’s a tourist attraction, a port and ferry dock, and a smart city. In fact, Heraklion was recognized as one of the world’s 21 smartest communities in 2014 and even has a technological university. As a tech-driven city, the Municipality of Heraklion decided to build a web portal for more than 6,000 users and a case management system for 700 employees. Also in this plan was the creation of an email system based on Postfix and Horde, mobile applications for the convenience of both citizens and employees, an e-payment gateway, and several WordPress sites for affiliated organizations of the municipality.

Solution Requirements

The IT infrastructure of the Municipality has multiple applications and users. And both ITDT and the Municipality wanted to create unique user profiles (and avoid duplications), a single-sign-on process for users, provide authentication mechanisms and very importantly, achieve GDPR compliance. A team comprising of the University of Crete, the National Technical University of Athens (NTUA), and ITDT Solutions (a company based in Cyprus working with a range of customers in Cyprus and the Balkans) worked with the Municipality of Heraklion to achieve these ambitious goals.

The new solution had a list of proposed items for successful project completion. The starting point for this project was the creation of a new LDAP infrastructure based on OpenLDAP (the LDAP infrastructure which existed at the time needed upgrading). User migration had to occur from the web portal’s database and other applications. Identity management is a huge requirement and the team used WSO2 Identity Server and the national identity provider for advanced security services. And the final important item was the migration of applications to SAML2 and OAuth2.

GDPR Compliance Made Easy

GDPR compliance and its importance led the project team to WSO2 Identity Server, which as an identity solutions provider, is GDPR ready. This meant that ITDT and the rest of the team did not have to do much to become GDPR compliant by themselves. ITDT created a single user store for convenience which simplified the process (the other option was to become compliant for each and every user store and application). The self-care user portal of WSO2 Identity Server plays a crucial role in GDPR compliance since it functions as a medium for users to exercise their individual rights as defined by GDPR for data managed and retained by WSO2 Identity Server. This self-care portal allows users to access and rectify any information about themselves at any point of time. Users can also request portal administrators to delete their entire user account if needed. It also enables users to revoke consent and exercise their right to be forgotten, in addition to providing them with a portal format of storing data, the right to pause/ restrict data processing, and of course, transparency on how their data will be processed.

WSO2 Identity Server comes with other perks as well. For one, it enabled ITDT and team to build a central identity so they migrated all their user stores to the central LDAP infrastructure by the project’s end. Secondly, WSO2 supported various inbound authentication mechanisms (SAML, OAuth, JWT, etc). Lastly (and best of all) is that WSO2 Identity Server is open source. This project did not have the most generous budget, and the Municipality of Heraklion needed a solution that did not have extra licensing costs attached to it. WSO2 Identity Server has an Apache 2.0 license, thereby giving the team heading this project the freedom to use this solution.

Benefits and Expansion

Apart from creating a robust solution to achieve GDPR compliance, ITDT has been able to create unique user experiences and reduce development costs for the Municipality. A digital transformation project of this nature (or indeed any such project), naturally provides insights to the team leading it by the project’s end. What ITDT learnt was that the migration of user stores is harder than they had initially anticipated as it required a lot of manpower. The team also learnt that WSO2 Identity Server is an ideal platform for creating custom solutions whilst keeping the core solution unchanged. Given the success of this project, the next step involves expansion – to other applications in Heraklion city and to other municipalities in Crete. Data exchange between municipalities and universities in Crete, and creating loyalty schemes between public and private bodies are other areas of interest. Identity management will continue to play a central role in all these plans.

Watch this presentation to learn more.

WSO2 Identity Server can be used for a host of identity management requirements, check it out here.

This article helps you understand how WSO2 Identity Server helps you achieve GDPR compliance.