Consent Management

Consents on Documents & Attributes

Consent for the processing of personal data is a major theme in GDPR. It should be given “freely, specific, informed and unambiguously”. iWelcome provides the foundation for the customer dialogue, 'flows' for progressively capturing data and consents in an advanced meta-data model:

consents for (updated) privacy statements;
preferences and consents for all data attributes needed;
consumer consent at the right time (JIT consent);
parental consent for underaged consumers;
all processing purposes per attribute.

Right of access, manage & withdraw consents

Allowing consumers to view, edit, download and delete their personal and consent data is not only a strict GDPR requirement: it is one of the cornerstones for building trusted consumer relationships.

With iWelcome's consent solution, you can either use a white-labeled self-service portal or choose to use your own portal complimented with our RESTful APIs. When using the consent module on top of iWelcome's Consumer IAM platform, consumers are offered one overview of all personal identity information including consent and preference settings.

GDPR and privacy reporting

In a heterogeneous IT-environment with front-office and back-office applications, Data Privacy Officers have a hard time fulfilling their legal obligations for keeping an up-to-date inventory of data collected and their processing purposes (GDPR article 30).

iWelcome traditionally provides the Single-Source-of-Truth (SSoT) for Identity data. With CLM, iWelcome also provides the SSoT for consented processing purposes. Consents are stored in iWelcome's (meta-)data model and kept actual. Changes in consent data are automatically propagated via the Consent-API for use by all other systems. As a consequence DPO's have their up-to-date inventory and reports at their finger tips.

Integrating with existing IAM solution

Many organisations already use customer registration and login, either home grown or a SaaS product. With GDPR they are confronted with new legal requirements that can not be fulfilled. At the same time they do not want to disinvest in their current solution.

iWelcome Consent Lifecycle Management is the perfect solution. It can be delivered as separate module, complementing an existing Consumer IAM ecosystem. All fully API-based, minimising the impact of integration. With this CLM-as-a-Service, you can offer full control to consumers, while allowing your own staff to optimise internal processes as customer care, auditing and cross- and upselling.

Document and Policy consent

Although GDPR has standardised privacy policies across Europe, per language, region and division you may need to implement different policies. And policies change over time. At best enforcing policies can be called inefficient and not scalable.

When (new) policies are published, iWelcome collects the user consents on these policies. These 'document' or 'policy' consents are centrally stored and made available for the end-user as well as for the DPO.

Policy enforcement is configured in the registration and login flows. The iWelcome UI can be used, or the customer can build own UI and integrate via API's.

Data-attribute consent

Consent under GDPR needs to be given by end-users (data-subject) for the processing of personal data (unless one of the exemptions of article 6 applies). That consent needs to be “freely given, specific, informed and unambiguously”. In other words: it must be crystal clear. Organisations need to be clear on what they are using an individual’s personal data for, the individual needs to be well informed about it and must make his or her decisions freely. Pre-ticked boxes that need to be un-ticked are also specifically forbidden in GDPR as this may indicate a preferred choice.

This rule impacts CIAM systems as storing the data is – by law – called “processing”. And as most personal data will be stored in the users profile, a key section in a CIAM system, consent mechanisms need to be present.

iWelcome provides a unique database structure for consent, leveraging the NIST 8112 standard for meta-data. For every data-attribute of a user, multiple processing purposes can be stored. Examples are that an email address can be used for new product information, and customer care, but not for marketing.

Course grained consent is not specific and is therefore not allowed under GDPR.

Multiple processing purposes

Consent according to GDPR needs to be “freely given, specific, informed and unambiguously”. In other words: Organisations need to be crystal clear on what they are using an individual’s personal data for. As a consequence, there can be multiple processing purposes per data-attribute. Let's take the example of an email address. This can be used for self -service, for customer care, for new product information, for marketing, etcetera... and the customer decides!

With iWelcome you can store multiple processing purposes per data-attribute, just like GDPR requires. That is the advantage of the flexible (NIST 8112) meta-data model that iWelcome uses. The processing purposes can be propagated to other applications so that these applications are aware of the specific choices of the 'data-subject'.

Meta-data model (NIST 8112)

The requirements of modern privacy laws drive the need for a new data model. For every data-attribute multiple processing purposes must be stored, as well as retention policies. Also anti-money laundering rules in the financial services industry, referred to as 'Know Your Customer' do require information about the data-attribute, like the origin of the data-attribute and the Level of Assurance (LoA).

Combining these needs, iWelcome has foundational implemented a new data model, based on the NIST standard for meta-data, NIST 8112. Meta-data is at the core of this data-model. For every data-attribute additional information can be stored in the meta-data, like:

Last update
Mandatory y/n
Provider name, e.g. "Facebook"
Multiple Consents
- Processing purpose, e.g. "customer care"
- Y/N
- Date
Verifier, e.g. "not verified"
Classification, e.g. "confidential'
Data deletion, e.g. "12 months after last login"
Expiration date, e.g. "12 months after last update"
Parental control y/n
Parent ID's, e.g. User-ID's

This data model gives iWelcome sheer unlimited capabilities for implementing fine-grained consent, Know your Customer, Parental Control and data retention policies.

Consent API

There is no such thing as a standard for customer identities. Depending on the case it is build up from portals, apps, internal and external validations, back-office and third party applications. And at the same time GDPR requires you to keep an up-to-date inventory of consented data. this drives the need for a Single-Source-of-Truth that can, not only integrate identity data, but also integrates consent data.

This is exactly where iWelcome's Consent-API comes into play. The Consent-API is a core element for collecting consents from other systems. A customer dialogue in a portal for Just-in-Time consent "may we know your <data-attribute>, so that we can <processing purpose>", can easily integrate with iWelcome via the Consent-API. This foundational component is used by any interface with the customer, even the native interface iWelcome provides.

Consents also need to be interfaced with other applications. iWelcome provides an 'event API' and customers can use the Consent-API' for collecting consents stored in iWelcome's SSoT for consented identity data.

Detailed information can be found in iWelcome's Developers Portal.

Integrating with existing CIAM solution

Some companies have an existing CIAM solution, but integrating Consent Management is complicated within that existing infrastructure. iWelcome has set up a CLM proposition that can be delivered as a separate module, complementing your current Consumer IAM solution. Our CLM proposition is fully API-based, so the impact of integration will be minimal and on organisation can become GDPR-proof at reasonable cost.

Right of Access

The data subject can access the personal data that was collected and make corrections and updates

DPO reporting and Up-to-date inventory

With consumer data being stored and managed in different back-end systems, DPOs face a difficult and labour-intensive task. In many cases, proving GDPR compliancy requires extracting data manually from a number of different back-end systems.

With the iWelcome CIAM solution, all data is stored and managed in one platform, including all consent data. Not only the actual consent, but also the processing purpose, date of consent, data retention policy for consent: it is all there in one overview.

iWelcome's way of storing consent enables organisations to create one 360º-view of their consumers. This helps marketing & sales for cross- and up-selling, customer care can provide better support and compliance officers can gather all required consumer identity data from one single source.

Just-in-Time Consent and customer dialogues

"She said yes!" is the ultimate consent when people are in love. In business users will not be that enthousiast, but proper questions at the right moment are the basis for trusted digital engagements. Embedding consent in your dialogue design is referred to as Just-in-Time (JIT) Consent.

When should consent be requested?

First of all, consent should be requested when individuals are asked for input of (new) personal data unless one of the exemptions applies (for instance the processing of data “for the performance of a contract”, GDPR article 6).

Asking for a delivery address for a book that the individual ordered in an online bookstore is fine, but you can only use the information for that purpose and nothing else unless you ask for consent (specifying information and reason) for that. Asking for a phone number in case there is a problem sending the book is fine if you specifically mention that use and leave the choice up to the customer. However, you are not allowed to use the phone number for anything else in the future, so it is better to keep it only for a month (retention) and/or ask consent to store that information for further order tracking as well. For sensitive personal data like biometric data or genetic data, you always have to ask consent (unless one of the exemptions of article 9 applies). In the law this is referred to as “explicit consent” meaning that you have to do an affirmative act which can be to check a box to confirm that the data you have just entered will be used for the reason specified. In the case of the delivery address, it was enough to mention at the address box that the address would only be used to send the book. Without the need of a tick in the box.

Consent in SAML/OIDC Authentication

Consents stored in iWelcome can be integrated in SAML- or OIDC-tokens. Relying parties can use this information for opening or restricting their services. Privacy control is at the heart of your information flow.

Awesome information your visitors need, just a click away

Edit this rich-text to provide the visitor with all appropriate information. You might add images, calls-to-action, horizontal rules, videos, quotes, etc. All this and more can be done through the text editor.

Awesome information your visitors need, just a click away

Solutions

Full Solutions

On-Top Solutions

Industries

About Us

Resources

Solutions

Full Solutions

On-Top Solutions

Industries

About Us

Resources

Consent Management

Consents on Documents & Attributes

Right of access, manage & withdraw consents

GDPR and privacy reporting

Integrating with existing IAM

Learn how CIAM can help you become GDPR compliant

Consents on Documents & Attributes

Right of access, manage & withdraw consents

GDPR and privacy reporting

Integrating with existing IAM solution

iWelcome's Consent Management Key Features

FAQs

Basic

Pro

Blogs on Consent

Solutions

Industries

About Us

Resources

Support

Connect