Consent management, interview with a Datastreams Data Protection Officer

Consent management: interview with our Data Protection Officer

After proudly sharing our ‘Consent Manager Solution’ via Social Media, we received some quite interesting questions from our connections. Therefore, we decided to share our “behind the scenes” steps and reasons for building this solution. How better to do this, then to ask Nick Wood, our ‘Data Protection Officer’ to give us the insights.

Let’s start with the obvious question: Why?

“The GDPR will be effective May 25th 2018 and there will be no room for loose interpretations or excuses. The data subjects privacy rights and lawful grounds for collecting and processing their data need to be 100% respected. Asking for consent during the online interaction won’t be a maybe but a MUST. Without explicit consent, organisations won’t have any legitimate grounds for data collection and processing. By neglecting GDPR requirements they risk to be heavily fined and their brand damaged.

Next to this external mandatory reason, our strongest drive stems from our corporate belief and main mission statement: ‘Empowering data-driven collaboration by providing governed access to trusted data sources.’ This joint purpose inspires our team to push forward, developing tangible and reliable solutions as fast as we possibly can. Have we found the perfect recipe, yet? That is a debate for another day. For now, we invite everyone to join and give us a hand.”

How does it work?

“Our Consent Manager is built with the ICO GDPR consent guidance in mind and based on the key requirements for asking consent in a GDPR compliant way. Along the way, we realised that offering DPO’s the flexibility to adapt their message to various data subjects is very important and a major plus. This enables them to continuously be transparent and in line with the activities done in the background.

During development, we also looked into the robustness of the solution. The DimML language gave us the flexibility to store consent choices in multiple places. This is not only essential for keeping records on consent evidence, but also for reporting purposes in relation to bounce and consent rate.

There is a general fear, that asking for consent will trigger data subjects to avoid sharing their data. As a result, less data can be collected for customer experience insights. We are not that afraid, but strongly believe that by empowering online users in a respectful way, they will feel more engaged and will be more inclined to share their data with trusted organisations.

When it gets to functionality, you can see the Consent Manager as a filter. Based on the choice a data subject makes, only what they agree to be shared will be forwarded to one or multiple endpoints. Further along the pipeline – through the governed data logistics our Data Stream Manager offers – another filter will be applied to make sure that sensitive data will not be sent to end points that do not have the proper security implementations in place.”

Who will benefit from this Consent Management Solution?

“In short. Everyone. First of all the Data Subjects. They are the main reason for this whole set up. Through the GDPR, authorities want to give data control back to individuals. We underline this ‘Power to the people’ concept and that’s why we also implemented the Consent Manager on our own website. As stated, offering transparency and trusted experiences to data subjects is one of our core missions.

Furthermore, we discovered that this is also a challenge for our partners and their customers. As a result, we made our Consent Management solution to be flexible and customisable to any requirements Controllers might have.

Secondly, Data Controllers. We started this whole process for our own online environment to be in line with such legislation as the GDPR. We wanted to offer trusted customer experiences to visitors and engage with them, whilst safeguarding our online reputation.

Asking for appropriate consent from data subjects falls under remit of the Controllers’ Data Protection Officer (DPO). Furthermore, he/she needs to make sure their organisation keeps records of consent as evidence, should this be required by regulatory authorities later on. As I mentioned earlier, with our solution you can collect and keep records of the consent choices.

It is also relevant to mention here about regular consent reviews. These need to be adapted to continuous business changes. Having a solution that offers the possibility to adapt the message communicated to online users will spare any DPO of a lot of headache.

So last but not least, Data Processors. Only having a Consent Management solution is not sufficient. It needs to be integrated within the entire data logistics process. The process doesn’t stop when the data subject has made a decision in terms of what he/she wants to share. Based on the consent choice, data needs to be collected and processed, then stored and finally visualised to enable data-driven decisions. Integrating this solution with the Data Stream Manager, processors get instant control over the entire process and offer their customers (data controllers) security over their data management process. Thus, building trusted relationships and increasing their business ROI and improving brand reputation .”

What are the plans for the near future?

“We are frequently in touch with our partners and processing their feedback. This way they help us to constantly improve upon the current version. So, stay close to see new developments and should you have any feedback, please let us know.”

Datastreams blog, GDPR requirements and compliant

Is fulfilling the GDPR requirements sufficient to be compliant?

What does GDPR compliance mean? How can you make sure that you are compliant and take the necessary steps as an organization if you do not even understand what is it you need to achieve? There is a lot of buzz around this topic in the blogosphere. And there is a reason for this. This important new EU wide regulation will be put into practice starting May 2018. As a result, it is time for companies to start taking this “buzz” seriously and try to find their path through it.

Why is this relevant? Because in the end, the GDPR focuses on the protection of personal data and not just the privacy of personal data.

Why should companies take this step? Could it be, the possible huge fines they may receive? The moral ideas behind this regulation? The fact that their customers can lose trust in them, damaging their reputation and even business revenues? Let’s assume that some or all of the above are sufficient reasons for a company to realize it is time to do something and they want to do something about it. Now let’s see how compliance is defined in relation to data protection:
“According to Merriam-Webster, compliance is defined as:

  1. The act of process of complying to a desire, demand, proposal, or regime or to coercion.
  2. Conformity in fulfilling official requirements.
  3. A disposition to yield to others.
  4. The ability of an object to yield elastically when a force is applied.”

Here we will focus on definition number 2, which can be seen as a starting point. A first question organizations should try to answer starting from this definition is, “what are the requirements that I need to fulfil to achieve compliance?”.

To be able to answer that question, an organization needs to first identify its role within the process of dealing with personal data on EU residents. Different requirements apply to different roles:

  • Data controllers – The natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the pur­poses and means of processing personal data; where the purposes and means of such processing are determined by the laws of the European Union or an EU Member State, the controller or the specific criteria for its nomination may be provided for by the laws of the European Union or the EU Member State. (Article 4 (7), GDPR)
  • Data processors – A natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller. (Article 4 (8), GDPR)
  • Data sub-processors – A natural or legal person, public authority, agency or body other than the data subject, controller or processor and per­sons who, under the direct authority of the controller or pro­cessor, are authorized to process personal data. (Article 4 (10), GDPR)

 

Having  established this, what needs to be specified here is that  complying with the GDPR “…requires both organizational and technological measures…”  As Dana Louise Simberkoff says in her article: “Aside from legal and statutory requirements, we must also understand how policies relate to operational practices, people and technologies within our organizations in order to be truly effective.” She even goes further than this and presents a model to address this challenge. She considers that a combination of education, monitoring and enforcement are key to achieving this.

 

Education makes perfect sense. Without an educated organization, the chances of succeeding with protecting privacy are  quite low and it will be a bumpy ride. Employees need to be made aware of the policies they need to follow to handle personal and sensitive data.

Where is all my data coming from? What are the requirements that need to be applied to that type of personal data? Do I have the right to collect it? Did my customer give his/her consent? Where do I store my data? How do I process this data? All valid questions that need to be taken into account. There may be multiple organisations involved in this process and they may have different requirements. Working clearly across teams, departments, businesses, suppliers and partners with different areas of expertise is of high importance. Digital collaboration is going to be vital to success in order to meet all GDPR obligations.

Once the first step has been taken, i.e. education, monitoring needs to go hand in hand with this. It’s not sufficient to give instructions. You need to follow up and see they are implemented and done so in the right way. This is not a subject to be taken lightly as organizations need to understand the legal basis of controlling and/or processing data and implement the specific requirements from the GDPR legislation, which are many and varied.

 

Organisations also need to determine if the right privacy levels are set for the data being collected, regardless of the source. They need to ask questions like: are my employees implementing the initial requirements established? And, am I sending personal and/or sensitive data to unsafe destination points? Constant attention to these processes is needed. The understanding of these (quite a few) new concepts cannot be expected to happen overnight. Especially when there isn’t yet the perfect recipe for success.

Enforcement is seen as the applicability of the requirements in a controlled way. This starts from a central point where understanding the rights of the data subjects, as seen by the GDPR, is of the upmost importance. Understanding the concepts and then translating these into technical implementations and organizational processes is the test companies need to pass. Data protection by design and by default need to be built-in to the solutions that will be used.

But this does not end here. Everything needs to be recorded. Who did what, when and where?

As an organization, can you easily answer all these questions in order to be GDPR compliant? Who are you working with and are they also in line with all necessary requirements and obligations? Are all your employees ready for these big steps? Are your customers trusting you with their personal and sensitive data?

In summary, these measures to fulfil requirements will have no importance if they are not centred around the core GDPR principles to protect data subject’s rights, i.e.:

  • The right to require rectification of personal data
  • The right to erase personal data (“right to be forgotten”)
  • The right to prevent further processing of personal data (“restriction”)
  • The right to transfer data (“data portability”)
  • The right to be informed when personal data breaches take place

If you can meet all of these principles and prove you do so each and every day, then you will be truly GDPR compliant.