05 March 2019

10 things you need to know about digital identity

10 points on the what, how and why of digital identity


Click on image to download one-page PDF

1. A digital identity can arise in many ways…

At its core, a digital identity is a set of attributes that can allow an individual or entity to be represented in digital form in an online environment. It could even represent a thing.

2. …and take many forms…

A digital identity can take a myriad of forms, ranging government protocols to private solutions and “self-sovereign” products. Even a gaming “avatar” and a social media profile are forms of digital identity. Digital identity may be accessed via a card / device, username / password or via your biometric data – or a combination.

3. …with a variety of attributes.

The data may be verified by a government body, financial institution or other third party. Conversely, it may simply be self-certified, or even false. It may comprise basic details such as name, date of birth and identification number, or extend to much deeper information, such as medical history, preferences, behaviour and social graph data.

4. Creating a digital identity can be simple or complex…

A digital identity can arise organically from information provided and activities online or it can be purposefully produced.  Various technologies underpin these projects, including encryption, cloud, open API and/or blockchain.

5. …and it can be used in a variety of ways…

Digital identity can be used to facilitate identity authentication, digital signatures, rapid form-filling, regulatory compliance, data analytics and building cognitive systems. There are numerous current use cases, including Estonia’s e-identity programme, India’s “Aadhaar” scheme, and industry-specific applications such as Sweden’s “BankID”. The United Nations also deploys digital identity through the World Food Programme.

6. …including smart contracts and IoT.

Digital identities can help power smart contracts.  When attached to things, they are also especially useful for building the internet of things (IoT), and assisting with its effectiveness and systemic integrity.

7. It must meet legal and regulatory requirements.

Data privacy, cybersecurity, outsourcing, anti-discrimination laws and other local market expectations must be addressed. If digital identity has a “regtech” compliance aim, it must also be fit for that purpose.

For example, digital identity can only be used for AML/CTF purposes if it is accurate, reliable and up-to-date. Whether or not data meets these tests depends largely on its source. For example, if open API connects a digital identity with government-held data, it is far more reliable than self-certified information.

8. Digital identity does not come without risk…

The most significant risk is data breach, particularly where sensitive information is used. In particular, biometric data can make digital identity more secure, but if “stolen”, it cannot be “reset” as with a username and password. An individual’s fingerprint will always be their fingerprint.

9. …which can be mitigated but not eliminated…

Risk is minimised through proper design, diligence and documentation. Three-factor authentication, the use of open APIs to minimise the creation of “honey pots” of data, regulatory controls and well-drafted contracts are some of the key risk management tools.

Blockchain technology can also be useful, although one of its greatest advantages (immutability) can pose a barrier to privacy compliance if carelessly adopted. This means that legal and regulatory issues must be a part of its fundamental design.

10. …and responsibility must land somewhere.

The use of digital identity needs a robust statutory and/or contractual liability model to address complaints, civil claims and other consequences arising from the misuse, loss or unreliability of data.

Importantly, it is not always possible to contract out of all liability. Regulators also often take a dim view on exclusions that unfairly affect customers. Reputation risk is particularly critical to manage, as digital identity is fundamentally predicated upon trust.

Key contacts

Data Central

Have you checked out our new Data Hub? Data Central contains a range of resources to help our clients minimise the legal, regulatory and commercial risks this data-driven environment presents and ensure that its full value is being realised.

A Guide to Doing Business in China

We explore the key issues being considered by clients looking to unlock investment opportunities in the People’s Republic of China.

Doing Business in China
Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    Italian crowdfunding legislation could be a useful platform and starting point to think about ICO regulation.

    29 January 2018

    A brief overview of reactions from Europe on the impact of Brexit on the private equity and venture capital industry

    30 June 2016

    Recent interpretations released by the Italian tax authorities with regards to leverage buy out (LBO) and merger leveraged buy out (MLBO) transactions.

    01 June 2016

    The Italian Government has introduced new provisions aimed to stimulate the Italian economy and increase the availability of non-banks debt financing to Italian companies.

    01 June 2016

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.