3 May, 2018

Essentials: Here's How IAM Helps With GDPR

  • Sagara Gunathunga
  • Director - WSO2

The General Data Protection Regulation (GDPR), formalized in the EU parliament in 2016, will come in to effect on May 2018. GDPR compliance is absolutely a must for any organization which processes personal data of individuals who live in EU territory. Managing various security and privacy aspects of individuals is one of the top priorities of any identity and access management (IAM) product and this is the same for WSO2 IS as well. However, GDPR poses several challenges for IAM products in general. Anyone who already uses or evaluates an IAM product for organizational purposes must pay particular attention when evaluating their current candidate IAM products against these challenges set by GDPR. These challenges include:

  • Is the IAM product itself in compliance with GDPR?
  • Are there any toolkits provided by the IAM product to make existing deployments (based on previous releases) GDPR compliant without migration to an updated version ?
  • Can the IAM product be used as a building block to build a GDPR solution for the organization? Can this be done in a time and cost effective manner?
  • Is there any vendor-lock in with your IAM product?
  • Is the IAM product bundled with the necessary knowledge required to implement a GDPR solution within your organization ?

WSO2 Identity Server (WSO2 IS) is a leading open source IAM product and a part of WSO2's suite of technologies. Like all WSO2 products, WSO2 IS is licensed with Apache 2.0 which grants true freedom for users, in other words, as far as you can manage the product yourself, you do not need to purchase any special licenses run WSO2 IS for any production use.

Although foundations of WSO2 Identity Server were built based on well known “Security by Default” and “Privacy by Default” principles from its very first release, during the last few months we have reviewed the product architecture to ensure that the product itself is in compliance with GDPR and the product can be used to build any GDPR solution. This exercise also extends to building a new set of features such as full consent lifecycle management support and the privacy toolkit which can be used not only with latest release but also with older versions which are in a production environment. This is how WSO2 IS can help you meet the challenges set by GDPR:

  • WSO2 IS 5.5.0 (the latest version) is in compliance with GDPR
  • WSO2 Privacy Toolkit can be used with older versions of IS (in fact this toolkit can be used with any WSO2 platform product)
  • WSO2 IS can be used as a building block to build a GDPR solution
  • No vendor lock-in with WSO2 IS
  • WSO2 IS comes with a complete guide including white papers, articles, tutorials, solution briefs, and case studies

Here are some key features in WSO2 IS that helps you support GDPR:

WSO2 Privacy Toolkit

The intention of the privacy toolkit is to build a reusable and independent set of tools that can make systems GDPR compliant. Below are some of the design goals it’s meant to accomplish. The toolkit therefore,

  • Can be used to anonymize PII data scattered in databases that’s connected to WSO2 IS
  • Can be used to anonymize PII data scattered in log files
  • Can be used with older versions of WSO2 IS as well
  • Can be extended to support for custom components deployed in WSO2 IS
  • Should not create performance bottlenecks for running system
  • Should be possible to run the toolkit outside WSO2 IS runtime
  • Should be automation friendly
  • Should provide full flexibility for identity administrators

Consent Lifecycle Management

  • Any self-care user profile creation, user provisioning to other systems, sharing of user attributes through SSO, and identity federation are fully based on user consent
  • Users can review, modify, and revoke previously given consent via the self-care user portal or RESTful Consent API
  • Consent API can also be used to integrate WSO2 IS consent management capabilities with existing applications
  • WSO2 IS can be used to manage consent of any 3rd party application via the RESTful Consent API

Support for Kantara Consent Receipt Specification

We believe in and support open standards. We try to be interoperable with industry standards whenever possible and this motivates us to support the Consent Receipt specification from the Kantara Initiative, in spite of its current draft state. We hope our move will help Kantara Initiative to build the Consent Receipt as a widely used open standard. You can find documentation related to Consent Receipt API from here.

Personal Data Export API

The personal data export API can be used to download the profiles of individuals stored in WSO2 IS in a machine-readable, structured, and well known JSON format. Individuals can download these profiles by logging in to the self-care user portal or the organization can facilitate individuals by integrating existing applications/portals with the RESTful personal data export API exposed by WSO2 IS.

User Self-Care Portal

The self-care portal of WSO2 IS is enriched with a set of new features that enables individuals to use this portal to exercise their individual rights as defined in GDPR. This eliminates the requirement for organizations to build their own user self-care portal. This self-care portal can be rebranded and customized according each organization's theme as well.


If you’re looking to build a GDPR solution or hence feel that using an IAM product will accelerate your GDPR journey, opt for a GDPR compliant IAM product such as WSO2 Identity Server. Download the latest version, WSO2 IS 5.5.0 today, and evaluate it. If you have suggestions, improvements, complaints or issues, report to us through our Github repository here.

Other Helpful Resources

WSO2 IS product download page

WSO2 GDPR landing page


About Author

  • Sagara Gunathunga
  • Director
  • WSO2 Inc