When tackling the EU General Data Protection Regulation, mParticle General Manager, EMEA, Tim Norris said one of the first lessons to learn is that any efforts to solve challenging aspects of the new rules will require the efforts of more than just one company.
It is one of the fundamental principles behind OpenGDPR, an open-source framework aimed at helping organizations handle data subject access requests.
Customer data platform mParticle has been working with engagement platform Braze, and analytics platforms Amplitude and AppsFlyer to create the framework, laying out three goals for the project: offer a JavaScript Object Notation specification — a format for structuring data — to allow controllers and processors to manage data subject access requests in an efficient manner; provide cryptographic verification of request receipts in order to demonstrate accountability to regulators; and create a callback mechanism to give controllers the ability to track the statuses of the requests.
In a phone interview with Privacy Tech, Norris and mParticle Data Protection Officer Aurélie Pols discussed the genesis of OpenGDPR, and the future of the open-sourced project.
It was only half a year ago when mParticle was only focusing on building consent tools for its own customers, but discussions with customers opened the company’s eyes to a larger problem.
“It was about six months ago that we became acutely aware of this bigger industry-wide issue, which was that every single controller is building some form of internal tool and has been building out some kind of custom APIs to extract and retrieve information from big marketing clouds, advertising systems, and internal databases, and basically they were banging their heads against the wall,” said Norris.
The OpenGDPR GitHub page offers definitions of data subject, controller and processor, a diagram outlining the flow of a data subject access request, and an overview of the HTTP methods for communicating between controllers and processors. The page also has a sample of the API coding to visualize what a response would look like.
Despite only being launched a few weeks ago, the framework has become one of the most followed GDPR projects on GitHub, as the group of companies looks to create a standard organizations can use for provisions such as Article 19 of the GDPR.
Despite only being launched a few weeks ago, the framework has become one of the most followed GDPR projects on GitHub, as the group of companies looks to create a standard organizations can use for provisions such as Article 19 of the GDPR.
This has led to various privacy professionals lending their knowledge to the open-source project, but getting it off the ground was not an easy task.
Managing the expectations and desires of four companies meant it was difficult to please everyone, Norris said, as all four organizations sought to have their legal counsel privacy officers contribute to best represent what they wanted, which delayed the launch of the project.
Eventually, the four companies were able to agree on the project, and the feedback starting coming in.
“Some of the people who are going to comment on this are privacy experts and people who understand the ins and outs, and people who are interpreting the GDPR in different ways to the way that we necessarily have, which is an interesting challenge, and will be a hard thing to manage, to manage a non-partisan, very technical independence, while managing those possible readings of the GDPR,” said Norris.
OpenGDPR is gaining traction as the implementation date for the new rules is only weeks away. Pols described data subject rights as one of the last frontiers of the GDPR, and one that privacy professionals have started to really focus on now that other issues such as the contracts companies will need to sign and data retention periods come into place.
“I think the crux of this, and the big issue for certain vendors because of the way they set up their tools over a decade ago, is the idea of data subject rights,” said Pols. “I remember years ago, people within the industry had the idea of asking for identifiers and for cookies to be deleted, and the people in the digital sector were looking at them like they were crazy, and they kept on believing that until somebody comes up with a solution to say that it is actually possible.”
The GitHub page also covers areas the specifications do not cover, including the definitions of technical measures describing a completed data subject request and the protocol for communications between data controllers, processors, subjects and authorities.
A GDPR specification is not only an engineering task but also comes with notable legal considerations, Norris said, meaning an emphasis on transparency was necessary.
The groups are not working to sell a product, but to produce a useful resource to tackle challenging new rules.
Norris said privacy professionals are finding OpenGDPR through word-of-mouth and conversations the four companies are conducting with potential contributors. He noted the groups are not working to sell a product but to produce a useful resource to tackle challenging new rules.
The four companies are expecting more organizations to offer their services to the framework as time goes on, while those working on the project have their own goals in mind for OpenGDPR.
“I want to see it grow. I want to see it broaden so it’s not just technology companies steering it,” said Norris. “I absolutely want to see it endorsed in some shape or form by industry bodies and privacy professionals as a good solution.”