Creating an intuitive user experience and maintaining an accurate single view of and towards the consumer, while addressing continuous privacy protection in a GDPR compliant manner, is the balancing act for today’s businesses. It is about building trust by protecting data, by transparent communication throughout the customer journey, by empowering consumers to control their preferences and privacy at any moment and by doing this at internet scale. iWelcome’s CIAM platform is the enabler for all of this.
If the processing of data is not covered by one of the bases for processing stated in the GDPR, a consumer needs to give consent to the use of his or her personal data. The use of the data should be linked to one or more specific bases purposes.
Data controllers have to be able to demonstrate that the consumer has consented to processing of his or her personal data. Consumers should also be able to withdraw their consent, just as easy as it was given.
The Awesome Automobiles website (owned by MagazineMonsters), using the iWelcome CIAM platform, offers social registration and uses consent lifecycle management to ask Gustav for consent to use his Facebook data, while being transparent on the scope of use of all data items. The consents, inclusive timestamp and source and the scope of use are stored in the iWelcome CIAM system.
Processing of data can be fair and lawful, for instance, if the data is needed for the performance of a contract. If personal data has only been provided to perform a contract, it cannot be used for any other purpose, unless the data controller asks for specific consent for this new purpose.
The Awesome Automobiles website, offers a full registration for personal data and payment details. Consent is not needed for these items, because they are necessary for the performance of the contract. In addition, the platform offers the option to enrich a profile with extra information and preferences, in this case family composition. For the use of this additional data, consent should be given.
Below the age of 16, parental consent must be given when services that require consent are offered directly to a child. European countries have some freedom to implement another age limit, as long as it’s not under 13.
The Awesome Automobiles website is aware that it needs consent from a parent of Guinevere. As Gustav is registered as ‘parent’ and Guinevere as ‘junior member of the family’, consent from Gustav will be required.
Every consumer has the right to obtain the erasure of personal data concerning him or her. This applies if the personal data is no longer necessary in relation to the purposes for which it was collected, unless the data (or part of it) has to be kept longer due to regulatory compliance.
For auditability and to trigger any additional process that may be needed, the system will notify assigned staff (DPO or administrator) of MagazineMonsters that Guinevere made use of her right to erasure. The iWelcome IDaaS platform will remove all Guinevere’s data it holds, including any provisioned data in target applications.
Personal data should be adequate, with relevance and limited to what is necessary in relation to the purposes for which it is processed (‘data minimisation’).
Consumers have the right to know whether or not personal data concerning him or her is being processed and where that is the case, access to the personal data and the purpose of the processing.
Consumers have the right to obtain rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, consumers have the right to have incomplete personal data completed.
The Awesome Automobiles website and app, offer a ‘MyPage’ section to manage profile information. On this ‘MyPage’, Gustav can see all the personal data that Magazinemonsters has stored. He sees what the purpose of processing is (contract, consent, legal, other), can rectify any inaccurate information and can complete any missing information. The system offers a consent-API to store all additional consents from Magazine-monsters and will show Gustav those additional consents in the privacy part of his ‘MyPage’ with the possibility to withdraw the given consent(s) at any time.
Consumers have the right to receive their personal data in a structured, commonly used and machine-readable format, to transmit the data to another controller. If technically feasible, data can be transmitted directly from one controller to another on request. This is known as the ‘right to data portability’.
Carsecure’s website, also using the iWelcome IDaaS platform, has a ‘MyPage’ that offers the possibility to export personal profile information and to receive that in a machine readable format in an email to the consumer or directly to another data controller (Safe4You). Any further consent lifecycle steps will be handled by the CIAM system of Safe4You.
Personal data should not be kept longer than necessary for the purposes for which the personal data is processed. Apart from processing for commercial reasons, processing for compliance with legal obligations is often necessary, which leads to longer data retention periods.
Personal data can be stored by data controllers in case of legal obligation.
Consumers have the right to receive information concerning the period for which the personal data will be stored, or if that is not possible concerning the criteria that apply to the duration of the data retention.
Carsecure, has the possibility to log and store a retention date for every collected data item. This is stored in the metadata of that specific data item. Policy driven data management can constantly verify that metadata and act accordingly. As the metadata is directly connected to the data item in the consumer profile, it can be made visible through the ‘MyPage’ if desired for transparency purposes.
When consent is required, it must be freely given, specific, informed, and unambiguous and the individual must have the possibility to withdraw consent at any time, as easily as it was given.
From the start the service needs to be designed with security at top of mind. This includes security policies enforced on the whole service and the following of secure coding best practices.
Information about the period data will be stored for needs to be specified.
By default, personal information must be kept only for the amount of time necessary to provide the product or service and only the minimum data required to complete the business function can be used.
By design, the service needs to take privacy into account on all personal data, from the start of the service.
Allows individuals to require the data controller to erase their personal data without delay in situations such as when they withdraw consent or when the processing of the consent was unlawful. Individuals also have the right to rectify inaccurate personal data.
Individuals have the right to transport their personal data from one organisation to the next.
This allows individuals to require erasure of their personal data by the data controller. Without delay, in situations such as withdrawal of consent or when the processing of consent was unlawful.
Individuals must have access to their personal data and the right to rectify inaccurate personal data.
The individual needs to be sufficiently informed to ensure fair and transparent data processing. The information must be provided in a concise, transparent, intelligible, and easily accessible form.
GDPR stands for General Data Protection Regulation and will come into force the 25th of May 2018. This regulation has the purpose to protect personal data of European citizens.
There’s a negative and a positive approach…. Let’s start wit the negative: the fines can be huge. It’s either 20 million euro’s or 4% of your company’s worldwide revenue.
The positive approach: You earn the trust of your customers. For years consumers have felt watched and tricked by marketing schemes based on their data. What better way to earn their trust again than be transparent in building your relationship with them?
Becoming compliant is a complex process and will take a lot of attention, consulting and auditing and therefore time, energy and money in the months prior to the enforcement of GDPR. But don’t forget the impact of being onwardly compliant. The phase of being compliant is where a well-designed CIAM platform can support you in day to day GDPR-aspects, for example consent and transparacy.
This is our website so of course we have a pitch why we should be implemented everywhere ;). Our platform provides a 360-degree view over the user population in order to support your omnichannel interactions. Secondly privacy protection is embedded in our DNA. iWelcome is born in the EU and has architected its IDaaS and CIAM platform with EU data protection & privacy in mind. And last but not least: we have a unique approach to Consent Lifecycle Management (CLM), highly valued by analysts as Gartner and KuppingerCole.
Consent is a very important aspect in the GDPR legislation; If the processing of data is not covered by one of the necessary bases of processing stated in the GDPR (eg performing of a contract), a consumer needs to give consent to the use of his or her personal data. The use of the data should be linked to one or more specific purposes. iWelcome has a unique way to store the consents, inclusive timestamp, source and the scope of use in the iWelcome CIAM system.
Yes, that is true, however, keep in mind that data minimisation requires you only to collect data you will actually need for the fulfillment of the contract. The collection of extra data or ‘future use’ of data that is not mandatory to fulfill the contract is not covered by this and needs additional consent or another legal basis (Article 6) like ‘compliance with a legal obligation’.
Consent needs its own lifecycle management, as it will change over time unless your business is very static itself. The application (e.g. the eBusiness portal) should check if the proper consent is in place and trigger for consent if not, or trigger for an update (of consent or scope) if needed. If the consent status ‘travels’ with the user when he accesses the application/service, let’s say in an assertion, then the application/service can easily check and trigger (or ask itself) for consent or scope change. And register the consent back in the central place that had to send the assertion in the first place, so a close loop. Otherwise, the application can/needs to check the consent (API call) before it can act, ask consent if needed, and write it back (API call).
Purpose is referring to ‘the purpose of the processing’ and should be specific, explicit and legitimate. ‘Marketing’ (or any other generic thing) is not specific enough; it should state what kind of marketing actions, like profiling or specified tailored offerings.
You can collect data, e.g. based on certain types of cookies for which permission is not required, (following ePR rules) and that data could be outside GDPR if you can’t trace it back to an actual individual. If you let him/her register himself for e.g. a newsletter and you ask personal information, then it falls under the GDPR. However, you might be able to stay away from asking consent if you can use another legal basis stated in article 6 for lawful processing. Let’s say a person wants to subscribe to an online magazine, then you only need the email address, and as such, that is enough to fulfill “the contract.” If you ask more, e.g. name, telephone number, etc., which you don’t actually need, then you need to use consent and have to specify a legitimate purpose.
We advise that you keep proof of consent for as long as you keep the personal data. Even if a customer is not your customer anymore, and often long after consent is withdrawn, as companies have legal obligations to keep data under f.i. business and tax laws.