Do we need to manage consents in real-time?




Author: Marijan Bračić

Does compliance with GDPR require real-time consent management capabilities? I know it does, and I will try to explain why. I will also try to explain why it is not an easy endeavor and how Consent Lifecycle Manager software already helps a big number of organizations to successfully solve this challenge. Disclaimer: When talking about real-time I actually mean near real-time with a minimum latency which is a bi-product of application integration.

Let’ start with our usual consent suspects, marketing. It is clear marketing needs consent management for their day to day operations; newsletters, direct marketing, event registrations, photo and video approvals etc. Does marketing hate GDPR for this reason? Yes, it does. There’s no denying it will make their life even more complicated. Should marketing start changing and accepting the new culture, GDPR as Good PR? It’s not even a fair question. They will have to because GDPR is the law.

Today everyone in marketing knows they will need to change consent acquisition processes because consent definitions today are not granular, are often grouped, hidden and not easy to understand. What happens with your personal data after you opt-in is rarely explained in a transparent way, and opt-in usually does not require a clear affirmative action. Opt-out, on the other hand, can be very complicated, and GDPR is clear in saying: ” It shall be as easy to withdraw consent as to give it” (Article 7).

Picture 1. Consent  – New definition

These are the facts and basic questions around consent, but this is still front-end perspective and far from a holistic point of view. To understand if consents need real-time management we need to think what happens once consent is given, and more importantly what happens once it is withdrawn. So, let’s think beyond marketing and take back-end processing of personal data into consideration. A typical scenario where an organization acquires consents using customer-facing channels like web portals, landing pages, mobile apps etc. is only the beginning of the process. Once an organization receives an opt-in from a data subject (e.g. Customer, Guest, Policyholder, Beneficiary, Patient, Contact, …) they will generally store his personal data in a database and include them in a process where they process data for a specific purpose(s) controlled by IT or other departments. This process can be manual, semi-automated or fully automated depending on the complexity and digital maturity of the organization. For example, it can be a process where organization includes contact in a newsletter list using a cloud provider’s service. Remember that with GDPR consent becomes an organic, ongoing and actively managed choice, and not simply a one-off compliance box to tick and file away. So, what happens if this contact decides suddenly to withdraw their consent for receiving a newsletter. An organization definitely needs to remove his or her contact from a list stored with their Cloud provider immediately so they don’t send an e-mail after opt-out. Otherwise, they would be in a risk of a complaint from this person which can have serious consequences, especially if it is a repeated mistake for more than one data subject and a supervisory authority is notified.

Newsletters are probably the most simple scenario. It becomes exponentially more complex when thinking about automated decisions based on profiling which also require consent. The data processing activities used for automated decision making can be completely out of marketing control and out of touch with front-end systems, and the most important thing for an organization in order to minimize the risk is to integrate these systems in a way that back-end system ‘’knows’’ what happened in the front-end system. However, with this type of integrations there is usually a big problem because different systems have different identifiers for the same person, so even if back-end system gets an information someone opted-out it doesn’t know who it is. Sometimes this can be handled using Customer Master Data Management systems, but today this is still a privilege reserved only for big and advanced organizations. Others will have to solve this problem in another way. Using Consent Lifecycle manager is one of the more elegant ways to do it. From risk mitigation perspective it is also very important for an organization to log everything so it is able to demonstrate, on the level of singular opt-in or opt-out, that it is upholding to GDPR principles. Organizations need to know who opted-in or opted-out, when, through which channel, for which purpose (exact wording) and what are the back-end processes connected to consent. Anything other than real-time propagation of consent information from front-end to back-end systems is a big risk for the organization.

Picture 2. Consent Lifecycle Manager – Main processes

Consent Lifecycle Manager is a platform that allows organizations to master consent definitions, purposes, and processing activities, but also provides a way to uniquely identify data subject in all systems. Using Consent Lifecycle Manager makes the organization accountable because it can easily demonstrate who opted-in or opted-out, when and for which purpose, using which system or channel. The risk for an organization is minimized because every action is logged and every change is stored making the organization resilient to unfounded complaints from data subjects. It allows real-time integration between front-end and back-end systems providing in this way real-time consent management.

Picture 3. Consent Lifecycle Manager – Integration

Why should an organization use Consent Lifecycle Manager instead of building a custom in-house consent management solution? The same question can be applied to all similar functional requests an organization needs to have, like CRM, Billing, HR, Accounting, Marketing campaigns, Planning etc. The answer is simple: it is cheaper, faster, you will have support from the best experts in the field, every new release includes improvements based on best practices worldwide and it comes with additional perks. Besides consent management this platform is:

  • A record of processing activities (mandatory by GDPR, Article 30)
  • Central dashboard for Data Protection Officer(s)
  • Central hub for user rights fulfillment (this is a different topic from consent management and will be explained in another blog)

More information about the platform can be found here: Consent Lifecycle Manager. Feel free to comment and ask questions, I am looking forward to an open discussion.