Skip to main content
Woman with coffee browsing her phone.

Ensuring data privacy with Pega Infinity

Suman Kumar Bhowmick, 7 minute read
Share Share via X Share via LinkedIn Copying...
Copied!

 In today's data-driven world, safeguarding personal information is paramount. Organizations handling sensitive client data must comply with stringent regulations, such as the EU's General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and others. Pega Infinity™, a leading platform for digital transformation, offers robust Client-Based Access Control (CBAC) to help businesses manage and protect personal data effectively. This blog explores how CBAC in Pega Infinity empowers organizations to meet compliance requirements, enhance data security, and build trust with clients.

What is Client-Based Access Control?

Client-Based Access Control in Pega Infinity is a framework that is designed to enable clients (or data subjects) to control their personally identifiable information (PII). CBAC enables customers to view, change, or delete their data stored in Pega applications, aligning with data privacy laws. It provides a structured way to process client requests while ensuring transparency and auditability, which are critical for regulatory compliance.

CBAC is particularly valuable for organizations that are subject to GDPR, CCPA, and similar regulations, as it facilitates the management of data rights requests, such as the right to access, edit, or erase PII. By implementing CBAC, businesses can streamline compliance processes and demonstrate accountability to regulators and clients alike.

Why CBAC matters in Pega Infinity

Pega Infinity's CBAC functionality is a cornerstone for organizations aiming to balance operational efficiency with data privacy. Here's why it's a game-changer:

  1. Regulatory Compliance: CBAC helps organizations meet GDPR and CCPA requirements by enabling clients to exercise their data rights. For example, Pega applications can process requests to access or delete personal data, ensuring compliance with legal mandates.
  2. Enhanced Client Trust: By giving clients control over their data, CBAC fosters transparency and builds trust. Clients feel empowered knowing they can access or modify their information through self-service portals or customer service channels.
  3. Streamlined Data Management: CBAC can work in tandem with any GDPR request management application, built with any technology, through the Privacy APIs exposed from Pega Infinity. This enables seamless communication for retrieval, modification, or deletion of personal data.
  4. Secured Access Control: CBAC helps organizations to meet GDPR and CCPA compliance by providing simple configurations for retrieval, modification, or deletion of personal data, while also ensuring that proper access control is applied. Only requests with the right access control are authorized to perform the required CBAC actions.

How does CBAC work in Pega Infinity?

Configuring CBAC is straightforward. To understand CBAC, we first need to learn about the Privacy APIs exposed from Pega Infinity. These APIs are available out of the box:

List of Privacy APIs in Pega Infinity

All of the Privacy APIs are driven by CBAC rules that are configured by the application developer. The request and response formats from these APIs are determined by the CBAC rules. The caller of the APIs must have the PegaAPIDataPrivacyAdmin Access Role. Without this role, the caller won't be able to access or update the requested data. This ensures that only requestors with the right access control are authorized to perform the required CBAC actions.

Now let's look at the details of the CBAC rule. A CBAC rule has two important components. First is the list of fields containing personal information that the application developer wants to expose through the Privacy APIs. Here, the developer can choose whether to allow modification and deletion of particular fields containing personal information. It may not be feasible to change or delete certain personal information while also maintaining data integrity in the application. Decisions in this regard  should be based on business needs and application design. However, Pega apps do allow editing and deletion options for all fields. Developers can also define an external-facing label for each field, providing a human-friendly name for properties that are exposed in the Privacy APIs' response payload:

Data elements in CBAC rule form

The second important section in the CBAC rule is the identifier. Application developers can define the identifiers in the application that are used to uniquely identify a client. Here too, an external label can provide a user-friendly name. Multiple identifiers can be configured if needed to uniquely identify a client.

Client Identifier mapping in CBAC rule

 

If an application needs to perform additional actions for accessing, changing, or deleting data, developers can create custom activities to meet those needs. These custom activities can be configured in the Custom settings in the CBAC rule. This feature is particularly useful for applications storing customer data in non-Pega data sources that require custom logic to access, update, or delete the data.

Implementing CBAC in Pega Infinity: Best Practices

To maximize the benefits of CBAC, organizations should follow these best practices:

  1. A single application to manage all personal data:
    • It's beneficial to have one application to manage all GDPR requests. This app can be exposed to clients or operated by back-office agents. This GDPR management application can connect with all Pega and Non-Pega applications through REST and act on all privacy-related requests.
  2. Identify Personal Data:
    • Conduct a thorough assessment to identify all PII stored in your Pega applications and external systems.
  3. Never ignore data stored on external systems:
    • If customer data is stored in external systems, ensure that custom settings are in place to perform the required actions according to privacy needs.
  4. Keep your CBAC Rules up to date:
    • Update your CBAC rules as your application evolves. For example, if you've added new properties such as loyalty program IDs to enhance your application, update the CBAC configuration to include them.
  5. Stay Updated:
    • Always use the latest version of Pega Infinity, to ensure that you're using the most current, secure, and feature-rich version available.

Client-Based Access Control in Pega Infinity is a powerful tool for organizations navigating the complexities of data privacy and compliance. By enabling clients to manage their personal data, CBAC not only ensures adherence to regulations such as GDPR and CCPA, but also strengthens customer trust and operational efficiency. With flexible configurations and seamless integrations, CBAC is essential for businesses prioritizing data privacy.

Recommended resources:

Don't Forget

 
Share this page Share via X Share via LinkedIn Copying...
Copied!

Did you find this content helpful?

Yes
No

Want to help us improve?
Suggest an edit
Report a Pega Community bug

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice