Incident Management and CIAM – Revolution through PSD2 and GDPR?

Incident Management is one of the most important areas of IT Service Management and Operations. With GDPR and other EU regulations such as PSD2 and the upcoming ePrivacy, new rights and obligations for data subjects and controllers come into place. What benefits can be leveraged for customers and identity management?

European law and legislation in the form of EU regulations challenge data subjects and controllers in the same way. Incident Management is especially in focus.

Defective Laptops, paper jams, software that does not work – Incident Management takes care of small and larger issues that arise in our IT-driven day-to-day business. Due to a constantly growing number of digital business models, digital penetration materializes in the change of existing structures. Customer relationships, supply chain processes, value add and associated risk are becoming more digital and thus a case for IT, whose sphere of influence is getting bigger day by day. Because of that, IT Service Management becomes more important and is responsible for contributing.

European law and legislation in the form of EU regulations challenge data subjects and controllers in the same way. GDPR has taken a lead when it came to effect end of May 2018 after a two-year grace period. PSD2 and ePrivacy are based on this regulation which deals primarily with personal data protection and consent management. While ePrivacy is not finalized yet, PSD2 has been passed in 2017 already. The date for the final implementation of PSD2 is closing by: September 1st, 2019.

PSD2 is the abbreviation for „Payment Services Directive 2“ and opens up financial markets for a great step towards digitization. Banks must provide interfaces (APIs) for the access of payment initiation and account information service providers to payment accounts, as well as jointly ensure the smooth flow of payment data, account information and transactions after approval by the account holder. Together, they need to make sure transactions are frictionless, process account and payment information securely and meet the requirements of a seamless experience. From now on, data subjects should be able to decide for themselves who, when and how their account is accessed and what is subsequently done with data and information. This new data sovereignty is both an opportunity and an obligation for customers, payment service providers and merchants. Direct account access at the request of a data subject is a step towards free choice of payment and settlement services. At the same time there are risks of misuse and manipulation as well as identity and data theft - because digital crime is booming. Not only Payment Service Providers (PSPs) are therefore particularly challenged to take precautions now. Because of GDPR, businesses generally need to cover consent- and identity management with a transparent, end-to-end approach.

As part of the introduction of PSD2, numerous requirements (RTS, regulatory technical standards) must be implemented by the beginning of September 2019.

Three Examples have a top priority:

  • Strong customer authentication based on state of art technology (Two-Factor-Authentication)
  • (Customer) Identity & Access Management (CIAM) and Consent Management
  • Major incidents at a PSP need to be reported to the authorities within four hours

Even for mature IT organizations these terms and disciplines may represent a challenge. Two-Factor-Authentication is not yet implemented at all stages. Incident Management Processes have been implemented mainly for internal IT-Operations and Business Continuity, less towards customers and their data. Particularly comprehensive are the tasks with which companies must cope when implementing continuous, sustainable CIAM. GDPR has already made Consent Management and the documentation of given consent a mandatory element in customer-facing processes. PSD2 is based on these processes, so they need to be in place.

„Identity is going digital. Due to EU regulations such as PSD2 and GDPR, enterprises need to optimize their Customer Identity & Access Management now.“

Since May 2018, affected parties and thus customers have new interaction possibilities in the form of rights through GDPR. Examples for exercised individual rights are the right of access or the right to be forgotten. For data processors, the duty to report a data breach to the authorities requires mature Incident Management processes. Data Protection Authorities and Data Subjects need to be informed with a 72-hour period. A functioning CIAM is essential in all these areas.

What do businesses need to consider when implementing thorough Consent- and Incident-Management and how can CIAM support them?

With GDPR and PSD2, Consent Management is the central part of any customer facing process. This requires an established CIAM to centrally manage identity and consent of data subjects. Depending on whether consent to the processing of data has been given or refused, the data subject needs to be provided with transparency about which data is processed, which process is using it and how this is documented. Since consent is usually given electronically, not verbally or in writing, appropriate documentary precautions must be taken. For the case of an incident this needs to be covered respectively. Companies need to check on their Incident Management Processes regarding Consent Management, information processes and new deadlines for incident handling.

Customer Journey vs. Consent Journey

Key information in this regard comes primarily from the perspective of the Consent Journey. While Customer Journeys mostly focus on usage, consumed goods and information processes, Consent Journeys cover information regarding any given consent by data subjects and their individual rights:

  • Fast, transparent insight on given consent
  • Direct overview on how, when and where personal data is processed
  • Interaction according to individually executed data subject rights
  • Documentation of given consent and related processes

The joint consideration of Consent and Customer Journeys yields in the following requirements for IT organization, service and operation:

  • Customer Identity & Access Management (CIAM) as a basis for verifiability of Consent and affected processes as well as a solution for secure authentication
  • Incident Management as the central element within IT-, security- and identity processes
  • Business Continuity Management as a process for holistic resiliency-planning

We face the challenges of PSD2 for Incident Management and CIAM with our expertise in the areas of ITSM, BPM and GRC.

Ventum Consulting already offered standardized, fully automated and modular processes for GDPR at the beginning of 2018 and has successfully implemented numerous projects since then. We see the requirements out of EU regulations such as PSD2 and the resulting national laws as an opportunity for digital penetration. Our customers within payment, banking, digital services and automotive sectors benefit from the early identification of potential, which we address on an interdisciplinary basis.

Our approach for Incident and Customer Identity & Access Management helps create customer relationships that are legally compliant, transparent and personal by creating sustainable processes and secure technologies. We are experts in combining service processes, security and compliance. Together with us, you will meet the requirements of EU regulations and increase the added value of your IT.


Philipp Karner

T. +49 89 122219642

Philipp Schneidenbach

T. +49 89 122219642

Read more

You could also be interested in this: