Implementing client-based access control (CBAC) helps you satisfy the data privacy requirements of the European Union (EU) General Data Protection Regulation (GDPR) and similar regulations. Personal data is associated with an actual person, not with an abstract entity such as a business.
If your application stores data that could be used to identify a person and you are subject to GDPR or similar regulations, use client-based access control to track and process requests to view, change, remove, and restrict the use of personal data, and to show auditors that you have done so.
This article and related articles use the following terminology:
- Pega application
- an application that is built on Pega Platform and contains personally identifiable data
- a person who is a customer of yours and whose personal data you manage. (In GDPR, this person is known as the “data subject.”
- a Pega or non-Pega application that stores personally identifiable data, within which client requests must be enforced. This is a different concept than the repositories that are used in the CI/CD pipeline.
Types of requests
Rectify and erase requests are one-time operations. They do not prevent data from being changed or added again in the future. Pega Platform can be configured to automatically support the following types of personal data requests:
|Personal data request types||Configuration behavior|
|Request to access||Find all the personal data for a client and return the values to the client.|
|Request to rectify||Correct personal data for a client for properties that you support changing.|
|Request to erase||Delete personal data for a client for properties that you support deleting.|
|Request to restrict usage||Prohibit particular functions from accessing data for a given client. For example, a client might consent to use your banking system but not to receive marketing communications.|