Consent, explicit vs. unambiguous, the difference Datastreams Blog!

Explicit vs. unambiguous consent: what’s the difference?

Consent is as crucial as it is complicated. As one of the legal grounds for data processing, asking for consent is often an important part of personal data collection. While the GDPR clarifies a lot of the confusion and vagueness about the meaning of consent, there is still some confusion over one thing: Explicit consent. The GDPR defines consent as:
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” 

Delving deeper, according to various sections within the GDPR, there are two types of consent: Unambiguous consent (Article 4) and Explicit consent (Article 9.1). If the data is ordinary, non-sensitive personal data, “unambiguous” consent suffices. However, “explicit” consent is required if the data in question is sensitive data (data concerning physical or mental health data, racial or ethnic origin etc.) So, what exactly is the difference?

Explicit versus Unambiguous consent
The difference between “unambiguous consent” and “explicit consent” is not immediately a clear one. Since consent must always be informed, specific and communicated through affirmative action, it seems that any type of consent will require a data subject to be fully aware of what they are agreeing to and clearly indicate their agreement with this. Isn’t all consent that is unambiguous and informed automatically explicit? Not necessarily.

Explicit consent
Let’s start with explicit consent. Explicit consent requires a subject to clearly and explicitly agree to their personal and (crucially) sensitive data being processed.

Under GDPR Article 9 explicit consent is required for the processing of certain “special” types of personal data. Examples include racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Explicit consent must be obtained through a statement that should: “specify the nature of data that’s being collected, the details of the automated decision and its effects, or the details of the data to be transferred and the risks of the transfer”. (Directive 95/46/EC, Article 29).

Explicit consent, then, consists of nothing less than presenting the data subject with an explicit statement regarding the specific personal data to be collected and an explicit action by the subject agreeing with this statement (such as ticking a box saying ‘I agree’). Simply stated: the data subject should quite literally and explicitly say “I consent” for consent to be considered explicit.

Unambiguous (implied) consent
Consent for regular, non-sensitive personal data doesn’t necessarily need to be explicit, but it does need to be unambiguous. We can call this unambiguous, implied consent. Unambiguous, implied consent is best explained through an example.

Say a person wants to answer an online competition. They enter several optional pieces of information, including their email address. Above the field it is stated that ‘we will use your email to keep you up to date on special offers’. By entering their email address after reading the notice, the subject consents to giving their information (that is, their email address) without ever explicitly stating ‘I consent’ or ‘I agree’. The affirmative action of entering their email is enough to constitute unambiguous consent, even though it is implicit and not said ‘out loud’.

GDPR Consent, freely given, specific, informed, unambiguous

The five pillars of GDPR Consent

Consent has long been an important term in the world of data governance and is an important tenet of data protection law. Obtaining consent from an individual to process their data is one ways of establishing a legal basis for data processing. With the GDPR approaching, companies will have to ensure that the consent received from subjects is in line with the GDPR standards. To this end, the GDPR provides a much-needed, updated definition of consent, defining it as:

“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Evidently, to comply with the GDPR regulations, consent needs to be:

Freely given
Consent needs to be obtained freely without coercion. Providing consent should be a genuine choice of the data subject; they should not have been intimidated or misled into providing it. Consent will not be considered freely given if:

  • the data subject has no genuine choice in providing consent or can not easily and without detriment withdraw consent.
  • There is a clear imbalance between controller and data subject (e.g. employer and employee).
  • The performance of a contract is made conditional on the subject’s consent to data processing activities which are not required for the performance of the contract.

Specific
Consent must be obtained for specific processing operations. It needs to be given (separately) for all specific processing operations covering all purposes. Blanket consent for unspecified data processing operations is not valid consent.

Informed
The request for consent should be easily distinguishable from other matters and presented in clear and plain language. A consent request can therefore not be wrapped up in a wider set of terms and conditions. Furthermore, for consent to be informed, the data subject should at least be informed about the extend to which they are consenting, the identity of the controller and the nature of the processing prior to giving consent. This should be explained in and intelligible and easily accessible form. Finally, the subject should be explicitly informed about their right to withdraw consent at any time and about their right to be forgotten.

Unambiguous
The way in which consent is obtained, should leave no room for doubt about the subject’s wishes and intentions when consenting. When consent is obtained for data that will be processed for multiple purposes, it must be established without a doubt that the subject agrees to all purposes. The controller must also be able to demonstrate that the data subject has provided consent, meaning that records need to be kept for verification.

Signified by a statement or clear affirmative action
Affirmative action is required for consent to be considered freely given, specific, informed and unambiguous. Consent can be obtained by any appropriate method such as verbally, in writing or by ticking a box. Note that silence, pre-ticked boxes or inactivity do not constitute consent. Important is also to consider that the method of withdrawing consent should be as easy as giving consent.

A Data Protection Officer into your businesss? 5 reasons!

Five reasons you need a Data Protection Officer

Although the term ‘Data Protection Officer’ is not particularly new, the role has truly stepped out of the shadows since the European Union General Data Protection Regulation (GDPR) was adopted by all 28 member states. No surprise, as according to a study done by the IAPP, Europe will need at least 28,000 DPO’s by May 2018. Do you need to recruit a Data Protection Officer into your business? Here’s five reasons you might.

1. It might be required by law

Under the GDPR-regulation, many companies will be required to appoint a DPO. There are three criteria for deciding if you might be required to appoint a DPO:

  1. Your organisation is a public authority or a public body.
  2. The core activities of your organisation consist of regularly and systematically monitoring data subjects on a large scale.
  3. The core activities of your organisation consist of the processing of large amounts of sensitive data or data related to criminal convictions or offenses.

Make sure to also check the country your company is registered in. In some countries (like Germany) the appointment of a DPO is required even if you don’t meet the standards mentioned above. If you suspect you might be required to appoint a DPO by law, make sure you look into your country’s privacy related legisalation and the GDPR regulations. Even if you are not legally required to appoint a DPO, there are still good reasons to do so. We’ve listed a few here.

2. Paving the road to compliance

GDPR compliance is currently an important goal for many companies. No surprise, since businesses have until May 25th 2018 to become compliant and failing to do so will incur hefty fines. A dedicated DPO can help your company become GDPR compliant by guiding the departments in your business towards a new approach to privacy regulation. Furthermore, a DPO is also an important ingredient in growing a ‘privacy by design’ mindset in your business.

3. Independent advice is the best advice

Whether your DPO is necessary by law or not, the GDPR guidelines require your DPO to be an independent entity within your business. Even if you appoint one of your current employees as a DPO instead of bringing in new talent, your Data Protection Officer should be an independent voice working on behalf of your data subjects. An objective, independent source of  advice is always a valuable information provider and will ensure the interests of your data subjects won’t be threatened by the interests of your company.

4. Privacy is hot!

With concerns over privacy and responsible data management growing, being a responsible data processor is becoming an attractive quality. As Debbie Evans, Global Legal and Commercial Director at Clearswift puts it: “Good information security and privacy can be used as a differentiator and help build reputation and grow a business.” Appointing a DPO as the ‘face of privacy’ in your company communicates your company’s dedication to responsible data ownership to stakeholders and can help mitigate customer’s growing concerns over the treatment of their personal information.

5. Mastering the tools of the trade

The final reason to appoint a DPO is to make sure that your company is equipped with not only the tools to become compliant, but also with an expert to wield them. Solutions such as our own ‘Data Stream Manager’ truly shine in the hands of a competent DPO. A dedicated DPO can quickly become a professional with the tools of the trade and use them to efficiently respond to changing environments and new challenges.

Consent management, interview with a Datastreams Data Protection Officer

Consent management: interview with our Data Protection Officer

After proudly sharing our ‘Consent Manager Solution’ via Social Media, we received some quite interesting questions from our connections. Therefore, we decided to share our “behind the scenes” steps and reasons for building this solution. How better to do this, then to ask Nick Wood, our ‘Data Protection Officer’ to give us the insights.

Let’s start with the obvious question: Why?

“The GDPR will be effective May 25th 2018 and there will be no room for loose interpretations or excuses. The data subjects privacy rights and lawful grounds for collecting and processing their data need to be 100% respected. Asking for consent during the online interaction won’t be a maybe but a MUST. Without explicit consent, organisations won’t have any legitimate grounds for data collection and processing. By neglecting GDPR requirements they risk to be heavily fined and their brand damaged.

Next to this external mandatory reason, our strongest drive stems from our corporate belief and main mission statement: ‘Empowering data-driven collaboration by providing governed access to trusted data sources.’ This joint purpose inspires our team to push forward, developing tangible and reliable solutions as fast as we possibly can. Have we found the perfect recipe, yet? That is a debate for another day. For now, we invite everyone to join and give us a hand.”

How does it work?

“Our Consent Manager is built with the ICO GDPR consent guidance in mind and based on the key requirements for asking consent in a GDPR compliant way. Along the way, we realised that offering DPO’s the flexibility to adapt their message to various data subjects is very important and a major plus. This enables them to continuously be transparent and in line with the activities done in the background.

During development, we also looked into the robustness of the solution. The DimML language gave us the flexibility to store consent choices in multiple places. This is not only essential for keeping records on consent evidence, but also for reporting purposes in relation to bounce and consent rate.

There is a general fear, that asking for consent will trigger data subjects to avoid sharing their data. As a result, less data can be collected for customer experience insights. We are not that afraid, but strongly believe that by empowering online users in a respectful way, they will feel more engaged and will be more inclined to share their data with trusted organisations.

When it gets to functionality, you can see the Consent Manager as a filter. Based on the choice a data subject makes, only what they agree to be shared will be forwarded to one or multiple endpoints. Further along the pipeline – through the governed data logistics our Data Stream Manager offers – another filter will be applied to make sure that sensitive data will not be sent to end points that do not have the proper security implementations in place.”

Who will benefit from this Consent Management Solution?

“In short. Everyone. First of all the Data Subjects. They are the main reason for this whole set up. Through the GDPR, authorities want to give data control back to individuals. We underline this ‘Power to the people’ concept and that’s why we also implemented the Consent Manager on our own website. As stated, offering transparency and trusted experiences to data subjects is one of our core missions.

Furthermore, we discovered that this is also a challenge for our partners and their customers. As a result, we made our Consent Management solution to be flexible and customisable to any requirements Controllers might have.

Secondly, Data Controllers. We started this whole process for our own online environment to be in line with such legislation as the GDPR. We wanted to offer trusted customer experiences to visitors and engage with them, whilst safeguarding our online reputation.

Asking for appropriate consent from data subjects falls under remit of the Controllers’ Data Protection Officer (DPO). Furthermore, he/she needs to make sure their organisation keeps records of consent as evidence, should this be required by regulatory authorities later on. As I mentioned earlier, with our solution you can collect and keep records of the consent choices.

It is also relevant to mention here about regular consent reviews. These need to be adapted to continuous business changes. Having a solution that offers the possibility to adapt the message communicated to online users will spare any DPO of a lot of headache.

So last but not least, Data Processors. Only having a Consent Management solution is not sufficient. It needs to be integrated within the entire data logistics process. The process doesn’t stop when the data subject has made a decision in terms of what he/she wants to share. Based on the consent choice, data needs to be collected and processed, then stored and finally visualised to enable data-driven decisions. Integrating this solution with the Data Stream Manager, processors get instant control over the entire process and offer their customers (data controllers) security over their data management process. Thus, building trusted relationships and increasing their business ROI and improving brand reputation .”

What are the plans for the near future?

“We are frequently in touch with our partners and processing their feedback. This way they help us to constantly improve upon the current version. So, stay close to see new developments and should you have any feedback, please let us know.”

Datastreams blog, GDPR requirements and compliant

Is fulfilling the GDPR requirements sufficient to be compliant?

What does GDPR compliance mean? How can you make sure that you are compliant and take the necessary steps as an organization if you do not even understand what is it you need to achieve? There is a lot of buzz around this topic in the blogosphere. And there is a reason for this. This important new EU wide regulation will be put into practice starting May 2018. As a result, it is time for companies to start taking this “buzz” seriously and try to find their path through it.

Why is this relevant? Because in the end, the GDPR focuses on the protection of personal data and not just the privacy of personal data.

Why should companies take this step? Could it be, the possible huge fines they may receive? The moral ideas behind this regulation? The fact that their customers can lose trust in them, damaging their reputation and even business revenues? Let’s assume that some or all of the above are sufficient reasons for a company to realize it is time to do something and they want to do something about it. Now let’s see how compliance is defined in relation to data protection:
“According to Merriam-Webster, compliance is defined as:

  1. The act of process of complying to a desire, demand, proposal, or regime or to coercion.
  2. Conformity in fulfilling official requirements.
  3. A disposition to yield to others.
  4. The ability of an object to yield elastically when a force is applied.”

Here we will focus on definition number 2, which can be seen as a starting point. A first question organizations should try to answer starting from this definition is, “what are the requirements that I need to fulfil to achieve compliance?”.

To be able to answer that question, an organization needs to first identify its role within the process of dealing with personal data on EU residents. Different requirements apply to different roles:

  • Data controllers – The natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the pur­poses and means of processing personal data; where the purposes and means of such processing are determined by the laws of the European Union or an EU Member State, the controller or the specific criteria for its nomination may be provided for by the laws of the European Union or the EU Member State. (Article 4 (7), GDPR)
  • Data processors – A natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller. (Article 4 (8), GDPR)
  • Data sub-processors – A natural or legal person, public authority, agency or body other than the data subject, controller or processor and per­sons who, under the direct authority of the controller or pro­cessor, are authorized to process personal data. (Article 4 (10), GDPR)

 

Having  established this, what needs to be specified here is that  complying with the GDPR “…requires both organizational and technological measures…”  As Dana Louise Simberkoff says in her article: “Aside from legal and statutory requirements, we must also understand how policies relate to operational practices, people and technologies within our organizations in order to be truly effective.” She even goes further than this and presents a model to address this challenge. She considers that a combination of education, monitoring and enforcement are key to achieving this.

 

Education makes perfect sense. Without an educated organization, the chances of succeeding with protecting privacy are  quite low and it will be a bumpy ride. Employees need to be made aware of the policies they need to follow to handle personal and sensitive data.

Where is all my data coming from? What are the requirements that need to be applied to that type of personal data? Do I have the right to collect it? Did my customer give his/her consent? Where do I store my data? How do I process this data? All valid questions that need to be taken into account. There may be multiple organisations involved in this process and they may have different requirements. Working clearly across teams, departments, businesses, suppliers and partners with different areas of expertise is of high importance. Digital collaboration is going to be vital to success in order to meet all GDPR obligations.

Once the first step has been taken, i.e. education, monitoring needs to go hand in hand with this. It’s not sufficient to give instructions. You need to follow up and see they are implemented and done so in the right way. This is not a subject to be taken lightly as organizations need to understand the legal basis of controlling and/or processing data and implement the specific requirements from the GDPR legislation, which are many and varied.

 

Organisations also need to determine if the right privacy levels are set for the data being collected, regardless of the source. They need to ask questions like: are my employees implementing the initial requirements established? And, am I sending personal and/or sensitive data to unsafe destination points? Constant attention to these processes is needed. The understanding of these (quite a few) new concepts cannot be expected to happen overnight. Especially when there isn’t yet the perfect recipe for success.

Enforcement is seen as the applicability of the requirements in a controlled way. This starts from a central point where understanding the rights of the data subjects, as seen by the GDPR, is of the upmost importance. Understanding the concepts and then translating these into technical implementations and organizational processes is the test companies need to pass. Data protection by design and by default need to be built-in to the solutions that will be used.

But this does not end here. Everything needs to be recorded. Who did what, when and where?

As an organization, can you easily answer all these questions in order to be GDPR compliant? Who are you working with and are they also in line with all necessary requirements and obligations? Are all your employees ready for these big steps? Are your customers trusting you with their personal and sensitive data?

In summary, these measures to fulfil requirements will have no importance if they are not centred around the core GDPR principles to protect data subject’s rights, i.e.:

  • The right to require rectification of personal data
  • The right to erase personal data (“right to be forgotten”)
  • The right to prevent further processing of personal data (“restriction”)
  • The right to transfer data (“data portability”)
  • The right to be informed when personal data breaches take place

If you can meet all of these principles and prove you do so each and every day, then you will be truly GDPR compliant.

GDPR, Non-Compliance, Risks, Personal Data, Regulations

The GDPR: 5 questions data-driven companies should ask

Data is rapidly becoming the lifeblood of the global economy. In the world of Big Data and artificial intelligence, data represents a new type of economic asset that can offer companies a decisive competitive advantage, as well as damage the reputation and bottom-line of those that remain unsuccessful at ensuring the security and confidentiality of critical corporate and customer data.

Despite the severe repercussions of compromised data security, until recently, the fines for breach of data protection regulations were limited and enforcement actions infrequent. However, the introduction of a potentially revolutionary European General Data Protection Regulation (GDPR) is likely to transform the way data-driven companies handle customer data by exposing them to the risk of hefty fines and severe penalties in the event of incompliance and data breach.

In this article, we have tried to summarise the implications of GDPR implementation for data-driven companies, as well as the measures businesses can take to ensure the security and privacy of client’s data and avoid the penalties associated with non-compliance.

How Does GDPR Impact Data-Driven Organisations?
The General Data Protection Regulation (GDPR) stands out from all existing regulations because of its breadth of client data protection. From conditions on cross-border data transfer to the need to implement, review, and update adequate technical and organisational measures to protect customer data, the GDPR introduces several new legislative requirements that will significantly impact the way businesses collect, manage, protect, and share both structured and unstructured data. I have described a few of the most important ones below.

  • Valid and Verifiable Consents — It can be argued that the GDPR is all about consent, it protects European citizens by giving them the means to object or give permission to process their personal data. The GDPR sets out stringent new requirements for obtaining a consent for the processing of personal data from customers. According to the new legislation, companies should make the process of withdrawing a consent as easy as providing a consent. Furthermore, the consent should be explicit and well informed with full transparency on the intended purpose and use.
  • Data Protection by Design and Default — Up until now, businesses were required to take technical and organisational measures to protect personal data. But implementation of the GDPR will require companies to demonstrate that the data protection measures are continuously reviewed and updated.
  • Data Protection Impact Assessment (DPIA) — DPIAs are used by organisations to identify, understand, and mitigate any risks that might arise when developing new solutions or undertaking new activities that involve the processing of customer data, such as data analytics and all data-driven applications, including BI, data warehouses, data lakes, and marketing applications. GDPR makes it a mandatory requirement for all organisations to conduct a DPIA and consult with a Data Protection supervisory authority if the assessment shows an inherent risk.

What are the Possible Consequences of Non-Compliance?
The GDPR subjects data controllers and processors that fail to comply with its requirements to severe consequences. These consequences, contrary to what most people believe, are not just limited to monetary penalties. Instead, they can potentially damage a business’s reputation and bottom-line. There are three factors that together make the GDPR the most stringent regulation in the European data protection regime.

  • Reputational Risk — The reputational risks of any data breach is always severe. However, implementation of the GDPR with obligation to notify authorities in case of data breaches is likely to result in increased enforcement activity. This will consequently bring data protection breaches to light, compromising a company’s market position and reputation.
  • Geographic Risk — All organisations offering goods or services to EU markets or monitoring the behaviour of EU citizens are subject to the GDPR. This includes all data analytics companies as well.
  • Huge Fines — Failure to comply with the new regulations will lead to significant fines of up to 20 million EUR or 4 percent of the company’s global turnover, whichever is higher.

To avoid the huge fines and severe penalties, businesses need to have complete and mature data governance in place. From revising the existing contracts in place to getting a buy in from the key people in organisations, businesses will be required to review their entire data process management approach in order to become compliant and mitigate reputational and financial risks.

5 Questions to Address and Mitigate the Risk of Non-Compliance

1. How can I minimise risks and protect my business’s reputation?
Taking the following measures can help you ensure your compliance to the new data protection legislation.

  • Define Personal Client Data — Document what types of personal data your company processes, where it came from, and who you share it with to improve documentation. For example, if you have inaccurate personal data and you have shared with it another organisation, you won’t be able to identify the inaccuracy and report it to your business partner unless you know what personal data you hold. Therefore, begin with a thorough review of your existing database.
  • Manage Data Streams and Processes — Develop a roadmap to determine your sources for data input, data processing tools, techniques, and methodologies that you use, and how the data you hold is shared with other businesses. Once you have listed all the inputs and outputs, evaluate their compliance to the new regulations, and take adequate measures to ensure good data governance.
  • Designate a Data Protection Officer — Designate a Data Protection Officer who has the knowledge, support, and authority to assess and mitigate non-compliance risks.
  • Ensure Swift Response to Withdrawal Requests — Respond to the customers’ requests of consent withdrawal in an efficient manner and update the system to flag that the user has withdrawn consent to prevent further direct marketing.

2. How can my business protect personal data?
The new data protection regulations apply to data that allow direct or indirect identification of an individual by anyone. As a result, cookie IDs, online identifiers, device identifiers, and IP addresses are categorised as personal data under the GDPR. To ensure the security and confidentially of the new defined categories of personal data, businesses can use the following measures:

Adopt a Protection by Design Approach — There are certain ‘protection by design’ techniques that businesses can use to protect the personal data of their customers. These include:

  • Pseudonymisation — Pseudonymisation (such as encryption, tokenisation, hashing) is a technique that involves categorisation of the personal data of customers into two types in such a manner that one type can no longer be attributed to an individual unless accompanied by the second type of information which is kept separately and is subject to various data protection measures.
  • Data Minimisation — As the name implies, data minimisation is about ensuring that only the data that’s necessary for a specific purpose is processed, used, or stored.

3. How can my company implement technical infrastructure that will ensure optimal governance of client data?
GDPR not only requires businesses to implement a well-built and foolproof infrastructure to collect, store, and process data, but also directs them to continuously review and update the infrastructure. Here are a few ways businesses can ensure their compliance to these new legislations.

  • Align Data & Analytics Strategy with Policies — Businesses should focus on developing a data and analytics infrastructure that’s CONTROLLED, PORTABLE, and COMPLIANT. To ensure this, data collection should be purpose driven, i.e. only data that is required to fulfill a specific requirement or purpose should be collected and processed. Data collection should be compliant. Customers should be provided with a right to object to data collection and processing for direct marketing processed. Data collected with the consent of clients should be kept in self-controlled storage and processed according to all applicable data protection regulations.
  • Manage Data Lineage — Certain data governance solutions organised by leading tech companies can help businesses streamline their data handling processes and exercise greater control and get improved visibility throughout data lifecycle. They help businesses adopt a standardised approach to discovering their IT assets and define a common business language to ensure optimal policy and metadata management, create a searchable catalogue of information assets, and develop a point of access and control for data stewardship tasks.

4. How can my business uphold these new regulations and define client data collection and storage?
To enhance the compliance of their client data collection and storage processes, businesses should seek assurance from a data protection officer who can inform and advice the business about its obligations pursuant to the regulation, monitor the implementation and application of adequate data protection policies, and ensure optimal training of staff involved in data collection and processing operations. In addition to this, designating a data protection officer can also help businesses monitor their incoming data streams and how they should be treated.

5. How can my business handle different types of data streams?
To ensure their compliance to the GDPR and avoid the severe consequences of non-compliance, businesses are not only required to ensure optimal control and privacy of static batch data, but also develop means to collect, categorise, and process data provided by high-speed data streams. Data stream management software is a viable solution to this challenge. A data stream manager allows businesses to:

  • Collect and distribute data in a private and compliant way
  • Reduce costs and complexity in data life cycle management
  • Have real-time access to all structured and unstructured data via the cloud or on premise
  • Centralise all data sources for improved visibility and control
  • Develop a controlled environment for data-driven operations

With a data stream manager, Data Protection Officers can define privacy levels, manage user rights, get an insight into how their info is being collected or used, and more.

Many of the GDPR’s principles are much the same as the current data protection regulations. Therefore, if your business is operating in compliance to the current law, you can use your current approach to data protection as a starting point to build a new, more robust and secure GDPR-compliant data protection infrastructure.

Brower secrurity with privacy settings, Data Protection Regulation

Are browser based privacy settings a good idea?

On 10th of January 2017, the European Commission announced the publication of its draft Regulation on Privacy and Electronic Communications (commonly known as the ‘ePrivacy Regulation’).  Within this, it has major plans to replace pop-up/banner type cookie warnings on websites with browser specific privacy settings. Full details can found here.


ePrivacy Regulation and EU General Data Protection Regulation

It is important to understand how this proposal relates to the General Data Protection Regulation (GDPR). According to the European Commission fact sheet on this subject the GDPR focuses on data protection for individuals. It was adopted in 2016 and its provisions will apply as from May 2018. The General Data Protection Regulation will enable users to better control their personal data. However, it only applies to the processing of personal data of individuals. It does not cover business-to-business communication or communication between individuals, which does not include personal data. The proposed EU Regulation on Privacy and Electronic Communications complements the General Data Protection Regulation and ensures the fundamental right to the respect of private life with regards to communications.

The new rules also give citizens and companies specific rights and protections, which are not provided by the General Data Protection Regulation. For instance, they guarantee the confidentiality and integrity of users’ devices (i.e. laptop, smartphone, tablets), as smart devices should only be accessed if the user has given their permission. The proposed Regulation also seeks to align privacy rules with the recently adopted General Data Protection Regulation, for example by relying on its definitions. The draft regulation also repeals the security obligations outlined in the current ePrivacy Directive that have become redundant as similar provisions exist in the General Data Protection Regulation.

Pros and cons

According to the draft ePrivacy Regulation the intent is that browsers should work through privacy by default and that browsers would not allow standard cookies. This principle is satisfactory to the legislative parties because they argue that there are more options to protect privacy from a technical perspective. Advertising agencies on the other hand see the proposal as a bad thing, because it creates a lot less interesting and relevant online ads because less or indeed no useful information would therefore be stored in cookies. However, there are other reasons as to why these privacy regulations are not a good idea.

False sense of security

Cookies are not only used for tracking, but also for the core functionality of a website. Think of their importance for memorising items in a shopping cart for example. In most countries we would classify these as ‘functional cookies’ as opposed to ‘tracking cookies’. The current proposal states that the storage of all cookies by default should be completely blocked. However, blocking all cookies is not possible, because websites simply would not work anymore. Browsers would therefore need to provide options to just reject tracking cookies. There seems to be an impression from this, that it is easy and possible to distinguish between functional cookies and tracking cookies. This is not the case, because apart from a few properties such as ‘name’, it is difficult to make this distinction by just looking at the cookie. Currently, the techniques employed by browsers are not good enough in themselves to guard privacy to the extent required by the new proposal.

In addition, cookies are not the only way to store sensitive information. Via components such as session storage, local storage but also through methods such as loading (external) files, it is possible to transfer data without control to a third party. Browsers will never be able to monitor and control all of these methods.

Also, the ‘do not track’ functionality in the browsers of today, does not meet the requirements of the proposal. This setting allows users to select whether they want to be monitored (i.e. tracking cookies enabled) or not. The disadvantage is that the browser makes available only the form (or similar) for the user to complete their preferences. However, it is the website owner who must ensure that these choices are respected and actually carried out. In other words, a browser setting does not fully guarantee that no tracking data will be sent (even though a user expressed their intent not to be tracked). The responsibility and technical effort of the website owner does not change with a statutory compliance do not track functionality implemented through a browser.


Displacement of the problem

The proposed data protection through the do not track browser setting is far too general because it needs to work for all websites. The user can not choose which companies deal properly and transparently with their personal information provided, especially in terms of their privacy wishes and data collection permissions, across multiple channels. This is an all or nothing situation, especially as many companies still do not ask for permission in the right way, or indeed at all. This will again cause a lot of confusion, frustration and poor customer journeys for end users, with many ending up saying “I thought I had already done that?!” Would it not be better to ensure that governing and guarding privacy is the responsibility of the information processing party and that responsibility should not be moved to an application of the end user? Data handlers should provide options to the end users to grant explicit permission, have the right for refusal and to be able to easily withdraw from any data gathering which impacts their privacy. This investment in a browser setting moves the problem to end users, who will often make decisions based on incomplete or incorrect information presented, or worse just click to remove what they perceive to be yet another annoying advert or banner. Privacy is too important to leave to a browser setting.

There is a lot of good intent within the GDPR and ePrivacy Regulations to help protect omnichannel generated data relating to personal privacy. Together, they will help drive a much needed paradigm cultural shift around personal and sensitive data. Companies must be able, in addition to the previously described explicit permission, also be able to make clear the purpose of the data collection. All end users must have the ability to enable removal of their data in all systems where their data is sent. This is a grand and far from trivial challenge that still requires much more control over the infrastructure than is available today. It is a challenge that goes far beyond what can be facilitated via a browser setting.

Customer perception of data privacy and regulation

The 360 customer view and data privacy

The last decade has shown a rapid growth of concern among citizens about data privacy. Policy makers have made every effort to react upon that worry. As a consequence, regulations on data processing are being tightened. How do these changes have impact on data-driven entities?

Customer perception of data privacy

Historically the word privacy has a strong physical connotation like in the expression ‘the privacy of her own home’. It is broadly considered to be a normal requisite for daily life, if not a legal right. However, in the data era this has drastically changed. Nowadays, privacy is not only about ‘physical’ privacy, it also relates to ‘virtual’ privacy. It is about the protection of personal data and the right to preserve anonymity. To that extent, it still relates to a person’s comfort zone, although this is becoming increasingly difficult to define. A comparison may illustrate this. Recent academic research on perception of sustainability found that people tend to behave more on evading material loss than on an abstract profit. In an interesting experiment respondents preferred a lower price of tomatoes, yoghurt and coffee above an EKO (Dutch hallmark for organic products) hallmark. But that changed when the choice was between a cheaper product with a red crossed EKO label and the standard product, regardless if it came with a positive sustainability hallmark or none. Then the preference shifted towards the more expensive product. Unfortunately there’s no such thing as an authorised red cross through data privacy. Respected brands might substitute it by integrating protection of personal data into their set of values. But at the end of the day consumers will expect privacy to be a normal product feature, just as Tesla are sold without a petrol tank. Differently stated, making data privacy an integral part of any proposition and deliver transparency on the issue is the only way forward: privacy by design!

Regulation

The European General Data Protection Regulation (GDPR) that will come into force seamlessly joins that trend. It strengthens the position of EU citizens with regard to their data, making tough demands on organisations that collect data and raising financial sanctions on infringing the regulation. Among the ‘civil’ rights to be established by the GDPR are: easier access to people’s personal data, transparency around how these data are processed and the possibility to explicitly object to it, data portability (transfer of data to third parties) and the right to be forgotten. For many institutions the processing measures in GDPR will set new obligations like the registration of data leaks, the appointment of a dedicated Data Protection Officer and the introduction of data protection impact assessments. These boundary conditions however, pale in comparison to how data management systems are going to be affected by the rights described before.

Data governance

The explosion of generated data in the last decade has also given way to aspire to a ‘360 degree customer view’. More data allows for better insights, may facilitate new points of view or just harness already available predictive models. State-of-the-art data processing capabilities are an important requirement to successfully realise the ambition. Not only to arrange for the integration of data from different resources. Above all, these capabilities are necessary to reach a more sophisticated level of data governance – privacy by design. To become compliant with the GDPR and gain customer acceptance a new approach to data management is a conditio sine qua non. In the near future, data processors will not only be accountable on what they do, but will also actively have to support full transparency on what data they process and for what purposes it is used – e.g. profiling – and adequate data security. The only foundation for this approach is an explicit consent given by the person whose data are at stake and stringent administration of this by distinguishing between different levels of consent e.g. give anonymous or personal data (customer vs. operator in control), let data evaporate instantly (the right to be forgotten) or transfer them externally new functionalities created by the GDPR are within reach.

Conclusion

Having the consent administration in order, just as entities register an address or the birthdate on their customer records, is the basic condition to compliant data governance. This may drive data stream management technology to provide building blocks for embedding core data privacy functionality in data governance such as:

– in-memory data collection and selective storage

– encryption of data on processing

– access to all data streams exclusively to the Data Protection Officer

– in house deployment of data streams (vs. cloud)

– extensive change logging

Finally, this approach will also facilitate external audits to prove the conse