GDPR: Can Customers Bring their own Consent?

One of the most profound changes facing businesses as part of the impending GDPR legislation is the obligation to capture and store consent in order to process each individual’s personal data.

Regardless of the approach chosen, GDPR places the burden on every organisation with customers inside the EU (or EEA) to capture, manage and prove user consent. That’s a lot of software and process change to implement by May 2018.

For example, almost every business I transact with online will need to store records in their database that prove I consent to them temporarily storing my phone number, home and email address whilst I am awaiting a delivery from them, but that I am not prepared to receive email marketing from them or their (carefully selected) partners, nor do I consent to them storing my credit card details, date of birth, gender, job title or marital status for any period of time. Across every citizen in the EU, this will lead to a huge amount of duplication.

The legislation is detailed in this area – organisations are required to obtain explicit, specific and freely given consent for all forms of personal data processing (including storage), and must be able to prove this consent (i.e. make it auditable), as well as provide methods for individuals to revoke consent (and by extension, methods to remove the personal data linked to the consent).

This is a significant requirement, and necessitates a step-change in operational behaviour for the vast majority of businesses (outside of healthcare) who quite simply have never needed to take such a fine-grained view of consent before. Many organisations are still following a blanket “opt-in by default” approach to data capture, with users invited to untick the box if they do not agree to the stated use of their data.

To address this, there are Consent Management tools emerging from Identity and Access Management (IdAM) software specialists such as Forgerock, Gigya and Janrain, which provide this functionality as extensions to their Identity and Access Management platforms. My personal advice would be for organisations to read up on UMA and evaluate these tools before embarking on any software development in this area.

The question could be asked – is it possible to invert the approach so that a customer can bring their own consent: by providing a pre-configured consent profile up-front?

It doesn’t feel too difficult to imagine a simple lightweight consent profile that can be stored on any device, accessible to browsers and apps, that will cast my personal data consent preferences via request headers. Organisations would then be able to read these preferences and ensure any data storage complies with the prescribed consent. Simple web logs would be sufficient to demonstrate an audit trail, as the consent would implicitly form part of the request. If I wanted to alter my consent profile, I would adjust the settings centrally and they would propagate out to the companies I transact with as and when I transact with them, satisfying the revocation requirement of GDPR.

This is not a new concept – digi.me is one company that is looking into re-balancing the control individuals have over their personal data, and consent for sharing (via Consent Receipts) is a key part of their offering. Digi.me merged with US competitor Personal in August 2017; a sign that the personal data management market is maturing.

On a broader scale, Project VRM (Vendor Relationship Management), an academic development and research project from Harvard University, is focused on addressing the inherent imbalances between customers and vendors. The project points out the imbalance in the accepted language of Customer Relationship Management (CRM) – customers are “captured”, “acquired” or “locked-in”, and coined the acronym VRM to represent the customer-side counterpart of CRM.

The Project VRM spin-off and non-profit, Customer Commons, is defining pre-configured advertising rules to be stored on customer devices, which it hopes will redefine digital advertising.

Customer Commons wants individuals to telegraph their purchasing intent upfront, so publishers can provide tailored adverts without the need for the comprehensive location and behaviour tracking that underpins the adtech economy today.

To bring this around full circle, it is arguable that the big data surveillance activities of digital advertising are the primary target of the GDPR legislation, so a move away from behaviour tracking could limit an organisation’s exposure to GDPR’s aggressive penalties for non-compliance.

It feels to me that we will see increased legislation across the world around data privacy, consent and security over the coming years, and that GDPR will not be shown to be an outlier. Maybe this is the time to start to look at protocols and systems which will ensure that the management of each user’s personal data privacy and consent is vested with the individual, and not a burden on every business they meet.

Online resources

Leave a Reply

Your email address will not be published. Required fields are marked *