From an IT technician's point of view, those of us tasked with operationalizing mandated transparency and consent requirements from the EU General Data Protection Regulation before the May 25 enforcement threshold face a formidable challenge.
While EU users and regulators will be able to evaluate compliance with new GDPR rules by simply viewing any public-facing data ingestion screens, as IT staff - who craft and maintain those screens - we lack concrete requirements as to what actually needs to be changed or added at our existing user "touch points" to achieve and demonstrate compliance.
Experience tells us that IT implementations based upon ill-defined and amorphous specs often end poorly, yet the May deadline looms, and a strategy of inaction risks heavy sanctions as well as brand damage for the enterprise.
What to do?
For an answer, it is useful to step back and analyze the GDPR holistically, and from the standpoint of the EU leaders who drafted and enacted it in 2016. What were the overriding goals they sought to achieve through this legislation? In terms of privacy protection for their EU constituents, what are the most important long-term outcomes that will act to make this regulation an unqualified success for regulators and a privacy win for EU citizens?
First, look at the negative pronouncements in the GDPR. The framers explicitly sought to eliminate the common practice of citizens having to give up personal information without first being properly informed (see Article 12). They explicitly sought to eliminate the reality of citizens left without effective and informed choice (Article 7). And they sought to eliminate data controllers and processors acting without appropriate permission, leaving citizens with no control as their personal data was transferred to third parties and beyond (Rec. 32).
On the positive side, they created new standards for defining, obtaining, and maintaining consent (Articles 4,6); codified a number of new individual privacy rights for citizens; and mandated that citizens be advised of those rights on a regular and fully visible basis (Articles 12-21).
So, what can IT do today as the compliance deadline approaches?
I believe implementing a touch-point dialogue structure at the enterprise’s public-facing personal data ingress contact points is a practical, essential and initial step for implementing and demonstrating GDPR compliance. Implementing such dialogue capability publicly demonstrates solid commitment to the spirit of the Regulation, while putting the framework into place for expanding and optimizing the enterprise’s compliant UI/UX as guidance and codes of conduct become better defined over time. It signals publicly that the enterprise cares about citizens’ privacy and is reaching out as a best practice to build user trust.
Some boxes to check either with an internal or external solution might include: compliant transparency and notice support; an application programming interface to facilitate integration with existing enterprise infrastructure; full Article 6 processing flexibility; comprehensive consent flow support; rights presentation and negotiation support; user and administrative dashboarding; dialogue-event logging; and DPO/DPA accountability reporting.
Privacy and IT teams will have to work together to create that dialogue framework, whether through some kind of internal development effort or through engagement with a commercial vendor. Luckily, as we've seen, the privacy technology market is exploding with options. A thorough scan of the marketplace should uncover some ways for accomplishing this goal relatively quickly if there is budget available.
If you want to comment on this post, you need to login.