In order for an organization to comply with the principles of the General Data Protection Regulation (GDPR), it should be able to govern personal data, know where they are and how to protect them. In addition, the organization should be able to fulfill legally defined rights for all EU citizens whose personal data it is processing. GDPR is applied to all individuals with nationality of some of EU member states (data subjects), and it is necessary to meet and monitor the data subject’s requests. In the context of a company, a data subject may be a user, a former user, the physical person to whom the company offers its products or services, an employee, a candidate for an employee or a partner’s employee.
The great emphasis of the new regulation is put on the consent as lawful basis for personal data processing. In most of EU countries legislation, consents are not novelty, but current controls are known to be very superficial and the penalties for non-compliance are negligible. The fines for non-compliance defined by GDPR are significantly higher, and the rights of data subjects require organizations to demonstrate how personal data have been acquired and how are they being processed.
Also, the definition of consent has been significantly changed with GDPR: Consent is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
GDPR defines consent and states that data controller must be able to demonstrate that the data subject has given the consent to process his data, that the request for consent was understandable and written in a simple language so that the data subject could opt-out as easily as he had opted-in, and that the service was not conditioned by consent.
GDPR also states that consent should be given by a clear affirmative action such as written statements (including electronic) or verbal statements. Marking a check box field when visiting the website is also considered as electronic written statement, but the field must not be pre-checked. When data is processed for multiple purposes, the consent should be given for all of them. If the data subject has no choice or is unable to refuse or withdraw the consent without any consequences, then it cannot be considered that the consent was given freely.
Picture 1: Consent attributes
For all organizations which have up to date complied with the current law, implementation of GDPR requirements should be greatly facilitated, otherwise organizations will have to increase the level of data protection and learn how to govern personal data in order to comply with new legal obligations.
After the enforcement of GDPR on May 25th 2018, organizations will have to start managing consent lifecycle. Article 7 of GDPR states that the data controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
Does that mean re-collecting of existing consents? Yes, unless they are already in line with the described GDPR requirements. For smooth business transition the organizations will have to define the processes of acquiring and processing consents long before the GDPR becomes enforceable in May 2018. The best way for organizations to acquire consents from data subjects again is to be transparent and explain in plain language why they are being acquired again, for which purpose and how can they benefit from it.
In order to meet this requirement, there is a need for a system in which to keep records of all data subjects and given consents, records of opt-ins and opt-outs, and data subject requests to companies regarding their data and processing of their data. Such a system would enable the management of consents with all the necessary information available in one place – for all processing activities with consent as a lawful basis the organization should be able to demonstrate when the consent was given and from whom, through which channel and for what purpose. It should also enable the data subjects to opt-out as easily in which case the legal responsibility of the company is to stop processing their data where consent is lawful basis.
Activities processing personal data need to know that the conditions to start processing specific data subject’s personal data are met, which includes valid consent. Thus, consent management becomes a key factor in processes that provide business support and the grounds for making business decisions. Misguided steps in such processes may or may not have to result in corrective measures, but it is very certain that mistakes in such processes will affect brand and customer loyalty, and this is difficult to measure.
Consent Lifecycle Manager (CLM) platform is a solution by Poslovna Inteligencija that is unique on the market and which enables organizations to simply and intuitively manage consent lifecycle and data subject requests.
Picture 2. Processes supported by Consent Lifecycle Manager
CLM supports all the major processes related to the consent lifecycle and the management of the data subject’s requests related to their personal data, starting with the process of acquiring and documenting consents, managing the purposes, managing the processing activities, and integrating consent and data subject requests data with other company systems, either through importing / exporting data or by calling open APIs. CLM keeps the history of all changes related to consents and data subject requests.
In addition, the CLM platform is a central application that will be used by the Data Protection Officer (DPO), which will enable him or her to supervise all processes related to data subject consents, including simple and configurable dashboards and detailed reports about all requests, actions and their status.
Picture 3. CLM Data Protection Officer’s dashboard
It can be said that virtually every company that has a relationship with a larger number of data subjects regulated by the consents and that needs to meet data subject’s requests defined by GDPR needs the CLM platform as part of the process of aligning the company with the requirements of the regulation.