While there are some exceptions for small companies doing infrequent collections, if you’re collecting personal information from European citizens, the upcoming General Data Protection Regulation imposes some very specific documentation requirements. Ensconced in Article 30 of the GDPR, these requirements include:
- The name and contact details for the controller and the controller’s DPO
- The purposes of the processing
- Who the controller might allow to access the data
- Where the data might be transferred
- How long the controller plans to keep the data (where possible)
- A description of how the controller plans on protecting that data
But many data collection operations are ongoing. While some processing operations are specific programs or products with start and end dates, it’s rare that data is collected in a way where it all stays in one bucket and it can be hard after the fact to identify how it was collected and what consent is attached to it.
In fact, the Kantara Initiative’s Consent and Information Sharing Work Group has been working on this problem since before there was an Article 30 or GDPR. Recognizing the desire of privacy programs globally to manage and document what consent is attached to what personal information, the group has been working on a so-called “consent receipt” specification so that it’s clear to both parties — data controller and data subject — what consent has been granted for which data and how that data is going to be used, stored, and destroyed.
And all the work is open source.
This spring, Kantara released its consent receipt API documentation to the public. You can see the sample Consent Receipt Generator here (and a link to the API documentation can be found here in the IAPP Resource Center). As you’ll see, the form generates a receipt that the data subject can download and is both human- and machine-readable.
“We’ve got our version 1 of the specification out, and we’re getting feedback on that,” said Colin Wallis, Kantara executive director. Already, he said, a version 1.1 is in the works that addresses comments raised such as a need to have multiple controllers for the same collection. “The spec was originally drafted with the notion of having one data owner, one data controller,” he said.
But what happens in the case where a credit card company is collating information on behalf of a bank and they’re both going to process the data? Well, both controllers need to appear on the same receipt. That’s an example of community feedback being fed into version 1.1.
“Subject matter experts volunteer their contributions while sponsorship, donations, and directed funds are sought for editing and project management,” Wallis noted, and almost everything Kantara produces is free of charge. The organization’s revenue comes from member dues alongside its Assurance accreditation program in the areas of identity and personal data. In the same way that Kantara certifies that organizations are implementing the Identity Assurance program effectively, it is actively working towards assessment and approval of the proper use of the consent receipt specification, and consent management systems in general, for release later next year.
For now, Wallis said, Kantara is hoping organizations pick up the consent receipt specification and start using it, providing feedback on what’s missing or how it could be improved. Vendors may even start integrating it into their own product offerings, where they layer other valuable capabilities on top of the base specification. For those without a robust IT department, that may be the biggest benefit the specification provides.
Already, however, Kantara is seeing interest in a range of overlays and profiles that address specific industry needs and for the GDPR itself. Wallis pointed to efforts in the ad tech industry, for example, to integrate consent into the programmatic advertising process to help make it fit for purpose in the GDPR era. Similarly, future uses might include a solution for the parental consent requirement of the GDPR. The good thing about open source specifications is that organizations can adjust them as they see fit.
According to Wallis, Kantara is experiencing a good uptake of the spec, thus far: "The plan has gone well."