By David Warburton, Senior Systems Engineer, F5 Networks
We’ve all ticked boxes, sent texts, and filled in forms loaded with personal details to unlock shiny new services, apps, and much more.
The problem is that we do not control what happens to that information and what to do about it when we’re concerned. To date, the notion of consent has been an irreproachable, business-friendly practice for organisations to legitimise all manner of personal data processing.
Those days are over. The EU General Data Protection Regulations (GDPR) has changed the data protection and usage game, empowering citizens to take ownership of their credentials and compelling businesses to operate with greater digital responsibility.
Under the new regulations, the onus is on organisations to identify at least one lawful basis for each processing operation. GDPR defines consent as any “freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".
Consent gained and used in the traditional way of acquiring consumer information will not apply anymore.
Citizens’ data should only ever be used when they have a realistic choice, including withdrawing consent at any moment. This means organisations must have the immediate operational and technological wherewithal to stop processing the data delete it or export it back to the customer. Failure to do so will incur GDPR’s much-publicised and costly wrath. From now on, any consent request should be explicit, obvious and user-friendly. Businesses need to be completely transparent about purpose and process, providing a complete overview of all user rights.
GDPR’s stance on consent is set to have a profound impact on a wide range of industries. Consider, for example, an e-commerce company accustomed to freely leveraging customer data for multiple use-cases. From May 25th, 2018, it must identify all the different purposes for which it processes personal data. It must then document the correct lawful basis relevant to each purpose. Several other associated actions are also necessary, including providing information on the right to withdraw consent, as well as ensuring privacy policies are clear and accessible to customers.
The legal shake-up has prompted at least one major advertising company to relocate its headquarters from the EU due to an overreliance on consent as a data processing green light. Others are still playing catch-up to get their house in order. Recently, the Interactive Advertising Bureau (IAB) Europe released a draft tech specification of its open source GDPR Transparency & Consent framework for public comment. The goal is to help publishers, technology vendors, agencies and advertisers meet transparency and user choice requirements.
Personal data is now well and truly our exclusive property. Moving ahead, organisations must act as responsible stewards of that data, respect our wishes, and provide transparency at every juncture. They must choose the lawful basis that most closely reflects the true nature of their relationship with an individual and the explicit purpose of their data processing intent. If gaining consent proves difficult, it is probably because it is not the best, most lawful option in that instance.
Consent is still important, of course, and can be a viable conduit for rapid, innovative business practice. It just needs to be approached with greater care and specificity. It needn’t be a hindrance to commercial success in the long-term either. Transparency and best practice yields trust, enabling more robust customer relationships and receptivity to new, innovative services.
GDPR is a headline-grabbing piece of legislation, so expect high-profile public examples to be made for non-compliance. Comprehensive organisational changes are needed, including the introduction of digital management best-practice and the implementation of security technology capable of safeguarding personal data hotspots, such as applications hosted in multiple clouds.
Citizens have regained control of their personal data and businesses must respect that transactional relationship with customers has changed. Those on the right side of the law will stay compliant and keep pace with the digital generation. Those that have not done their due diligence will find themselves not just at the mercy of the law but will suffer the discontent of customers and the loss of trust.