Enabling GDPR compliance

Some CIAM platforms offer high protection of Personally Identifiable Information (“PII”) and passwords, namely those that are certified against ISO 27001:2013 and SOC2 Type II standards.

So, how to make best use of the CIAM platform to have your web presence comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679)?


GDPR Art. 12 requires transparency about how PII is collected and processed. Our architecture services set the principles to build on the superior security of a CIAM platform to protect PII. We diagnose your IT landscape to reduce the proliferation of PII and to control when, how, why and what data is copied to other systems. As such, they offer the opportunity to weed out sensitive data from your web servers and back-end systems.

Secondly, we ensure the user profile maintains metadata, such as the source, the cause, the version and the timestamp, for crucial elements.

specific consent

GDPR Art. 4§11 and 6§1 forbids the processing of PII without consent. This means that collecting behaviour-related data and connecting it to an anonymous user (for example the IP address) is no longer allowed.

Our miaa Self-service App reduces the friction for users to register. That in itself enables consents to be obtained. Additionally and in combination with the miaa PolicyChecker, it it is designed to obtain a fresh consent in case the your privacy policy has been updated. It stores the consent opt-in/opt-out and the corresponding source, timestamp, and indicated purpose.

user’s right to access

GDPR Art. 15§1 requires that users must be able to view the data that is collected about them. Our widget makes this scalable and effortless thanks to the self-service ‘my account’ panels.

user’s right to be forgotten

GDPR Art. 17§1 requires that users can ask to be forgotten. When the user asks to be forgotten, our miaa Self-service App erases all PII in the account. It does maintain a record of certain data to remember who must be forgotten and to be able to investigate potential privacy complaints. The miaa PushConnector plug-in can additionally ensure that the forget-me instruction is pushed to back-end systems.

user’s right to object

GDPR Art. 21 requires that users can ask that their PII is not used for profiling. Our miaa Self-service App offers the option to withdraw a consent and the miaa PushConnector plug-in pushes such withdrawal to the back-end systems.

parent’s consent

GDPR Art. 8 requires consent by the holder of parental responsibility over the child, when processing PII of a child below the age of 16. Our miaa PrivateGroups is designed to self-administer families and households, so that parents can provide consent for their child and control the access to the child’s PII.


→ Contact us if you are interested in an audit, a quick scan or a workshop. Read also our own Privacy Policy.