Co-author: Pranay Prakash
Understanding Consents – GDPR Perspective
Consent management is amongst the most important topic to be addressed as part of the GDPR compliance charter. It is not a new subject, but the increase in fundamental rights by general data protection regulation, coupled with higher fines for noncompliance, where the shift in focus to make consents from “implicit” to “explicit” makes it more complex than what meets the eye.
GDPR defines consent of a data subject as - “any freely given, specific, informed and unambiguous indication of the data subjects wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
GDPR sets a high standard for consent.This gives the data subjects genuine choice and control over how anybody uses and consumes their personal data. Effective GDPR consent management helps organizations build trust with their customers and also enhances their own reputation.
The Principles, Conditions and Challenges
Organizations at large are clear about effective consent management mechanism with the following principles and conditions to be adhered:
Principle - (GDPR Art.5 (1) (b))
- The GDPR not only requires explicit consent before collecting sensitive personal data, but also limits that data collection to "specified, explicit and legitimate purposes," and the data "must not be further processed in a manner that is incompatible with those purposes."
Conditions - (GDPR Art.7)
- Keeping records to demonstrate consent
- Customers must be enabled to view, modify, and withdraw their consent anytime
- All consent requests should be clear
- If a conditional contract exists, it is essential that consent is given freely
- (GDPR Art.8) – Specific conditions for children’s consent
The above mentioned conditions make consent management one of the most challenging requirements of the GDPR, and there arises the need for an effective Consent Lifecycle Management System.
The key challenges are:
- The lack of a formal mechanism within the organization to track the consent of an individual
- Data in siloes – Personal data is scattered across the organization within different business units
- Countless existing databases of customers and prospects accrued over the years
- Absence of single consistent source of database - consent management data warehouse
- Ignorant and ad hoc ways of sharing of personal data within different business functions
- Personal data shared with third-party vendors
- No formal contract with third-party providers and formal information to data subjects on their rights
- One tick does it all – the usual old ways of collecting consent with pre-ticked boxes
- Ineffective mechanism to track unstructured data, including that of customer in laptops, SharePoint portals, etc.
Consent management has become a tricky subject for many mid-to-large organizations, wherein there is no enterprise-wide view of data about individuals. It is to be noted that by the word “individuals” we could be referring to customers, employees, clients, temporary staff, etc., which further complicates the quest. When an organization needs to associate the GDPR consent to a specific individual and maintain the entire log of consents exercised by the individual with an organization, it is an even greater challenge. Though it sounds very easy, most organizations find this difficult as they have personal data on individuals spread across their business and IT functions which run in siloes, or have disintegrated ways of identifying the data subject across systems and processes.
From “I do” to “I don’t” – The Approach
An online consent management system has to be built grounds up with the data subject at the forefront mapping, tracking, storing, and deleting consents. Consent is one lawful basis for processing and explicit consent additionally helps legitimize use of special category data, restricted processing, automated decision-making, or overseas transfers.
HCL along with its technology partners has developed befitting solutions to help organizations solve this problem. Our three-phased approach enabled on technology platforms helps associate the explicit GDPR consent data with specific individuals and stores it centrally, thereby addressing concerns around traceability. We help organizations leverage an automated data mapping approach to scan and map (with data subject’s consent) on premise and cloud data sources, identify personal information, and then catalogue that information by data subject at scale.
Our approach has been helping organizations to understand the underlying principles that need to be adopted by them.
|Asking for consent||Recording consent||Managing consent|
- Check that consent is the most appropriate lawful basis for processing.
- Request for consent should be prominent and separate from terms and conditions.
- Ask data subject to positively opt in.
- Don’t use pre-ticked boxes, or any other type of consent by default.
- Use clear, plain language that is easy to understand.
- Specify why we want the data and what we’re going to do with it.
- Give granular options to consent to independent processing operations w.r.t. to various divisions and functions
- Name our organisation and any third parties.
- Tell individuals they can withdraw their consent.
- Ensure that the individual can refuse to consent without detriment.
- Don’t make consent a precondition of a service.
- Offer online services directly to children, seek consent if age-verification and parental-consent measures in place.
- Automate and systematize the consent record keeping
- Integrate with BI and marketing systems to avoid auto decision making
- Maintain complete record of when and how consent was received from the data subject.
- Keep a record of exactly what they were told at the time.
- Centralized database for efficient tracking of consent records feeding to all other applications/systems for effective consent management
- Regular review consents to check that the relationship, the processing and the purposes have not changed.
- Processes in place to refresh consent at appropriate intervals, including any parental consents (if applicable).
- Enable privacy dashboards or other preference management tools.
- Simplify the process for individuals to withdraw their consent at any time, and publicise how to do so.
- Act on withdrawals of consent based on published timelines as communicated to data subjects.
- Retention management
Carefully mapping and tracing the journey of a data subjects’ consent given to an organization till his/her withdrawal or any changes to existing consent, our solutions aim to simplify the overall process seamlessly and at ease for organizations large or small. It’s the spectrum and plotting of the dots between the journey of consents from “I do” to “I don’t”.