Consent management, interview with a Datastreams Data Protection Officer

Consent management: interview with our Data Protection Officer

After proudly sharing our ‘Consent Manager Solution’ via Social Media, we received some quite interesting questions from our connections. Therefore, we decided to share our “behind the scenes” steps and reasons for building this solution. How better to do this, then to ask Nick Wood, our ‘Data Protection Officer’ to give us the insights.

Let’s start with the obvious question: Why?

“The GDPR will be effective May 25th 2018 and there will be no room for loose interpretations or excuses. The data subjects privacy rights and lawful grounds for collecting and processing their data need to be 100% respected. Asking for consent during the online interaction won’t be a maybe but a MUST. Without explicit consent, organisations won’t have any legitimate grounds for data collection and processing. By neglecting GDPR requirements they risk to be heavily fined and their brand damaged.

Next to this external mandatory reason, our strongest drive stems from our corporate belief and main mission statement: ‘Empowering data-driven collaboration by providing governed access to trusted data sources.’ This joint purpose inspires our team to push forward, developing tangible and reliable solutions as fast as we possibly can. Have we found the perfect recipe, yet? That is a debate for another day. For now, we invite everyone to join and give us a hand.”

How does it work?

“Our Consent Manager is built with the ICO GDPR consent guidance in mind and based on the key requirements for asking consent in a GDPR compliant way. Along the way, we realised that offering DPO’s the flexibility to adapt their message to various data subjects is very important and a major plus. This enables them to continuously be transparent and in line with the activities done in the background.

During development, we also looked into the robustness of the solution. The DimML language gave us the flexibility to store consent choices in multiple places. This is not only essential for keeping records on consent evidence, but also for reporting purposes in relation to bounce and consent rate.

There is a general fear, that asking for consent will trigger data subjects to avoid sharing their data. As a result, less data can be collected for customer experience insights. We are not that afraid, but strongly believe that by empowering online users in a respectful way, they will feel more engaged and will be more inclined to share their data with trusted organisations.

When it gets to functionality, you can see the Consent Manager as a filter. Based on the choice a data subject makes, only what they agree to be shared will be forwarded to one or multiple endpoints. Further along the pipeline – through the governed data logistics our Data Stream Manager offers – another filter will be applied to make sure that sensitive data will not be sent to end points that do not have the proper security implementations in place.”

Who will benefit from this Consent Management Solution?

“In short. Everyone. First of all the Data Subjects. They are the main reason for this whole set up. Through the GDPR, authorities want to give data control back to individuals. We underline this ‘Power to the people’ concept and that’s why we also implemented the Consent Manager on our own website. As stated, offering transparency and trusted experiences to data subjects is one of our core missions.

Furthermore, we discovered that this is also a challenge for our partners and their customers. As a result, we made our Consent Management solution to be flexible and customisable to any requirements Controllers might have.

Secondly, Data Controllers. We started this whole process for our own online environment to be in line with such legislation as the GDPR. We wanted to offer trusted customer experiences to visitors and engage with them, whilst safeguarding our online reputation.

Asking for appropriate consent from data subjects falls under remit of the Controllers’ Data Protection Officer (DPO). Furthermore, he/she needs to make sure their organisation keeps records of consent as evidence, should this be required by regulatory authorities later on. As I mentioned earlier, with our solution you can collect and keep records of the consent choices.

It is also relevant to mention here about regular consent reviews. These need to be adapted to continuous business changes. Having a solution that offers the possibility to adapt the message communicated to online users will spare any DPO of a lot of headache.

So last but not least, Data Processors. Only having a Consent Management solution is not sufficient. It needs to be integrated within the entire data logistics process. The process doesn’t stop when the data subject has made a decision in terms of what he/she wants to share. Based on the consent choice, data needs to be collected and processed, then stored and finally visualised to enable data-driven decisions. Integrating this solution with the Data Stream Manager, processors get instant control over the entire process and offer their customers (data controllers) security over their data management process. Thus, building trusted relationships and increasing their business ROI and improving brand reputation .”

What are the plans for the near future?

“We are frequently in touch with our partners and processing their feedback. This way they help us to constantly improve upon the current version. So, stay close to see new developments and should you have any feedback, please let us know.”

Datastreams blog, GDPR requirements and compliant

Is fulfilling the GDPR requirements sufficient to be compliant?

What does GDPR compliance mean? How can you make sure that you are compliant and take the necessary steps as an organization if you do not even understand what is it you need to achieve? There is a lot of buzz around this topic in the blogosphere. And there is a reason for this. This important new EU wide regulation will be put into practice starting May 2018. As a result, it is time for companies to start taking this “buzz” seriously and try to find their path through it.

Why is this relevant? Because in the end, the GDPR focuses on the protection of personal data and not just the privacy of personal data.

Why should companies take this step? Could it be, the possible huge fines they may receive? The moral ideas behind this regulation? The fact that their customers can lose trust in them, damaging their reputation and even business revenues? Let’s assume that some or all of the above are sufficient reasons for a company to realize it is time to do something and they want to do something about it. Now let’s see how compliance is defined in relation to data protection:
“According to Merriam-Webster, compliance is defined as:

  1. The act of process of complying to a desire, demand, proposal, or regime or to coercion.
  2. Conformity in fulfilling official requirements.
  3. A disposition to yield to others.
  4. The ability of an object to yield elastically when a force is applied.”

Here we will focus on definition number 2, which can be seen as a starting point. A first question organizations should try to answer starting from this definition is, “what are the requirements that I need to fulfil to achieve compliance?”.

To be able to answer that question, an organization needs to first identify its role within the process of dealing with personal data on EU residents. Different requirements apply to different roles:

  • Data controllers – The natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the pur­poses and means of processing personal data; where the purposes and means of such processing are determined by the laws of the European Union or an EU Member State, the controller or the specific criteria for its nomination may be provided for by the laws of the European Union or the EU Member State. (Article 4 (7), GDPR)
  • Data processors – A natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller. (Article 4 (8), GDPR)
  • Data sub-processors – A natural or legal person, public authority, agency or body other than the data subject, controller or processor and per­sons who, under the direct authority of the controller or pro­cessor, are authorized to process personal data. (Article 4 (10), GDPR)

 

Having  established this, what needs to be specified here is that  complying with the GDPR “…requires both organizational and technological measures…”  As Dana Louise Simberkoff says in her article: “Aside from legal and statutory requirements, we must also understand how policies relate to operational practices, people and technologies within our organizations in order to be truly effective.” She even goes further than this and presents a model to address this challenge. She considers that a combination of education, monitoring and enforcement are key to achieving this.

 

Education makes perfect sense. Without an educated organization, the chances of succeeding with protecting privacy are  quite low and it will be a bumpy ride. Employees need to be made aware of the policies they need to follow to handle personal and sensitive data.

Where is all my data coming from? What are the requirements that need to be applied to that type of personal data? Do I have the right to collect it? Did my customer give his/her consent? Where do I store my data? How do I process this data? All valid questions that need to be taken into account. There may be multiple organisations involved in this process and they may have different requirements. Working clearly across teams, departments, businesses, suppliers and partners with different areas of expertise is of high importance. Digital collaboration is going to be vital to success in order to meet all GDPR obligations.

Once the first step has been taken, i.e. education, monitoring needs to go hand in hand with this. It’s not sufficient to give instructions. You need to follow up and see they are implemented and done so in the right way. This is not a subject to be taken lightly as organizations need to understand the legal basis of controlling and/or processing data and implement the specific requirements from the GDPR legislation, which are many and varied.

 

Organisations also need to determine if the right privacy levels are set for the data being collected, regardless of the source. They need to ask questions like: are my employees implementing the initial requirements established? And, am I sending personal and/or sensitive data to unsafe destination points? Constant attention to these processes is needed. The understanding of these (quite a few) new concepts cannot be expected to happen overnight. Especially when there isn’t yet the perfect recipe for success.

Enforcement is seen as the applicability of the requirements in a controlled way. This starts from a central point where understanding the rights of the data subjects, as seen by the GDPR, is of the upmost importance. Understanding the concepts and then translating these into technical implementations and organizational processes is the test companies need to pass. Data protection by design and by default need to be built-in to the solutions that will be used.

But this does not end here. Everything needs to be recorded. Who did what, when and where?

As an organization, can you easily answer all these questions in order to be GDPR compliant? Who are you working with and are they also in line with all necessary requirements and obligations? Are all your employees ready for these big steps? Are your customers trusting you with their personal and sensitive data?

In summary, these measures to fulfil requirements will have no importance if they are not centred around the core GDPR principles to protect data subject’s rights, i.e.:

  • The right to require rectification of personal data
  • The right to erase personal data (“right to be forgotten”)
  • The right to prevent further processing of personal data (“restriction”)
  • The right to transfer data (“data portability”)
  • The right to be informed when personal data breaches take place

If you can meet all of these principles and prove you do so each and every day, then you will be truly GDPR compliant.

GDPR, Non-Compliance, Risks, Personal Data, Regulations

The GDPR: 5 questions data-driven companies should ask

Data is rapidly becoming the lifeblood of the global economy. In the world of Big Data and artificial intelligence, data represents a new type of economic asset that can offer companies a decisive competitive advantage, as well as damage the reputation and bottom-line of those that remain unsuccessful at ensuring the security and confidentiality of critical corporate and customer data.

Despite the severe repercussions of compromised data security, until recently, the fines for breach of data protection regulations were limited and enforcement actions infrequent. However, the introduction of a potentially revolutionary European General Data Protection Regulation (GDPR) is likely to transform the way data-driven companies handle customer data by exposing them to the risk of hefty fines and severe penalties in the event of incompliance and data breach.

In this article, we have tried to summarise the implications of GDPR implementation for data-driven companies, as well as the measures businesses can take to ensure the security and privacy of client’s data and avoid the penalties associated with non-compliance.

How Does GDPR Impact Data-Driven Organisations?
The General Data Protection Regulation (GDPR) stands out from all existing regulations because of its breadth of client data protection. From conditions on cross-border data transfer to the need to implement, review, and update adequate technical and organisational measures to protect customer data, the GDPR introduces several new legislative requirements that will significantly impact the way businesses collect, manage, protect, and share both structured and unstructured data. I have described a few of the most important ones below.

  • Valid and Verifiable Consents — It can be argued that the GDPR is all about consent, it protects European citizens by giving them the means to object or give permission to process their personal data. The GDPR sets out stringent new requirements for obtaining a consent for the processing of personal data from customers. According to the new legislation, companies should make the process of withdrawing a consent as easy as providing a consent. Furthermore, the consent should be explicit and well informed with full transparency on the intended purpose and use.
  • Data Protection by Design and Default — Up until now, businesses were required to take technical and organisational measures to protect personal data. But implementation of the GDPR will require companies to demonstrate that the data protection measures are continuously reviewed and updated.
  • Data Protection Impact Assessment (DPIA) — DPIAs are used by organisations to identify, understand, and mitigate any risks that might arise when developing new solutions or undertaking new activities that involve the processing of customer data, such as data analytics and all data-driven applications, including BI, data warehouses, data lakes, and marketing applications. GDPR makes it a mandatory requirement for all organisations to conduct a DPIA and consult with a Data Protection supervisory authority if the assessment shows an inherent risk.

What are the Possible Consequences of Non-Compliance?
The GDPR subjects data controllers and processors that fail to comply with its requirements to severe consequences. These consequences, contrary to what most people believe, are not just limited to monetary penalties. Instead, they can potentially damage a business’s reputation and bottom-line. There are three factors that together make the GDPR the most stringent regulation in the European data protection regime.

  • Reputational Risk — The reputational risks of any data breach is always severe. However, implementation of the GDPR with obligation to notify authorities in case of data breaches is likely to result in increased enforcement activity. This will consequently bring data protection breaches to light, compromising a company’s market position and reputation.
  • Geographic Risk — All organisations offering goods or services to EU markets or monitoring the behaviour of EU citizens are subject to the GDPR. This includes all data analytics companies as well.
  • Huge Fines — Failure to comply with the new regulations will lead to significant fines of up to 20 million EUR or 4 percent of the company’s global turnover, whichever is higher.

To avoid the huge fines and severe penalties, businesses need to have complete and mature data governance in place. From revising the existing contracts in place to getting a buy in from the key people in organisations, businesses will be required to review their entire data process management approach in order to become compliant and mitigate reputational and financial risks.

5 Questions to Address and Mitigate the Risk of Non-Compliance

1. How can I minimise risks and protect my business’s reputation?
Taking the following measures can help you ensure your compliance to the new data protection legislation.

  • Define Personal Client Data — Document what types of personal data your company processes, where it came from, and who you share it with to improve documentation. For example, if you have inaccurate personal data and you have shared with it another organisation, you won’t be able to identify the inaccuracy and report it to your business partner unless you know what personal data you hold. Therefore, begin with a thorough review of your existing database.
  • Manage Data Streams and Processes — Develop a roadmap to determine your sources for data input, data processing tools, techniques, and methodologies that you use, and how the data you hold is shared with other businesses. Once you have listed all the inputs and outputs, evaluate their compliance to the new regulations, and take adequate measures to ensure good data governance.
  • Designate a Data Protection Officer — Designate a Data Protection Officer who has the knowledge, support, and authority to assess and mitigate non-compliance risks.
  • Ensure Swift Response to Withdrawal Requests — Respond to the customers’ requests of consent withdrawal in an efficient manner and update the system to flag that the user has withdrawn consent to prevent further direct marketing.

2. How can my business protect personal data?
The new data protection regulations apply to data that allow direct or indirect identification of an individual by anyone. As a result, cookie IDs, online identifiers, device identifiers, and IP addresses are categorised as personal data under the GDPR. To ensure the security and confidentially of the new defined categories of personal data, businesses can use the following measures:

Adopt a Protection by Design Approach — There are certain ‘protection by design’ techniques that businesses can use to protect the personal data of their customers. These include:

  • Pseudonymisation — Pseudonymisation (such as encryption, tokenisation, hashing) is a technique that involves categorisation of the personal data of customers into two types in such a manner that one type can no longer be attributed to an individual unless accompanied by the second type of information which is kept separately and is subject to various data protection measures.
  • Data Minimisation — As the name implies, data minimisation is about ensuring that only the data that’s necessary for a specific purpose is processed, used, or stored.

3. How can my company implement technical infrastructure that will ensure optimal governance of client data?
GDPR not only requires businesses to implement a well-built and foolproof infrastructure to collect, store, and process data, but also directs them to continuously review and update the infrastructure. Here are a few ways businesses can ensure their compliance to these new legislations.

  • Align Data & Analytics Strategy with Policies — Businesses should focus on developing a data and analytics infrastructure that’s CONTROLLED, PORTABLE, and COMPLIANT. To ensure this, data collection should be purpose driven, i.e. only data that is required to fulfill a specific requirement or purpose should be collected and processed. Data collection should be compliant. Customers should be provided with a right to object to data collection and processing for direct marketing processed. Data collected with the consent of clients should be kept in self-controlled storage and processed according to all applicable data protection regulations.
  • Manage Data Lineage — Certain data governance solutions organised by leading tech companies can help businesses streamline their data handling processes and exercise greater control and get improved visibility throughout data lifecycle. They help businesses adopt a standardised approach to discovering their IT assets and define a common business language to ensure optimal policy and metadata management, create a searchable catalogue of information assets, and develop a point of access and control for data stewardship tasks.

4. How can my business uphold these new regulations and define client data collection and storage?
To enhance the compliance of their client data collection and storage processes, businesses should seek assurance from a data protection officer who can inform and advice the business about its obligations pursuant to the regulation, monitor the implementation and application of adequate data protection policies, and ensure optimal training of staff involved in data collection and processing operations. In addition to this, designating a data protection officer can also help businesses monitor their incoming data streams and how they should be treated.

5. How can my business handle different types of data streams?
To ensure their compliance to the GDPR and avoid the severe consequences of non-compliance, businesses are not only required to ensure optimal control and privacy of static batch data, but also develop means to collect, categorise, and process data provided by high-speed data streams. Data stream management software is a viable solution to this challenge. A data stream manager allows businesses to:

  • Collect and distribute data in a private and compliant way
  • Reduce costs and complexity in data life cycle management
  • Have real-time access to all structured and unstructured data via the cloud or on premise
  • Centralise all data sources for improved visibility and control
  • Develop a controlled environment for data-driven operations

With a data stream manager, Data Protection Officers can define privacy levels, manage user rights, get an insight into how their info is being collected or used, and more.

Many of the GDPR’s principles are much the same as the current data protection regulations. Therefore, if your business is operating in compliance to the current law, you can use your current approach to data protection as a starting point to build a new, more robust and secure GDPR-compliant data protection infrastructure.