While there are some exceptions for small companies doing infrequent collections, if you’re collecting personal information from European citizens, the upcoming General Data Protection Regulation imposes some very specific documentation requirements. Ensconced in Article 30 of the GDPR, these requirements include:
- The name and contact details for the controller and the controller’s DPO
- The purposes of the processing
- Who the controller might allow to access the data
- Where the data might be transferred
- How long the controller plans to keep the data (where possible)
- A description of how the controller plans on protecting that data
But many data collection operations are ongoing. While some processing operations are specific programs or products with start and end dates, it’s rare that data is collected in a way where it all stays in one bucket and it can be hard after the fact to identify how it was collected and what consent is attached to it.
In fact, the Kantara Initiative’s Consent and Information Sharing Work Group has been working on this problem since before there was an Article 30 or GDPR. Recognizing the desire of privacy programs globally to manage and document what consent is attached to what personal information, the group has been working on a so-called “consent receipt” specification so that it’s clear to both parties — data controller and data subject — what consent has been granted for which data and how that data is going to be used, stored, and destroyed.
And all the work is open source.
This spring, Kantara released its consent receipt API documentation to the public. You can see the sample Consent Receipt Generator here (and a link to the API documentation can be found