TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tech | The GDPR and consent interfaces: A technician's view Related reading: AI offers opportunity to increase privacy for users



From an IT technician's point of view, those of us tasked with operationalizing mandated transparency and consent requirements from the EU General Data Protection Regulation before the May 25 enforcement threshold face a formidable challenge. 

While EU users and regulators will be able to evaluate compliance with new GDPR rules by simply viewing any public-facing data ingestion screens, as IT staff - who craft and maintain those screens - we lack concrete requirements as to what actually needs to be changed or added at our existing user "touch points" to achieve and demonstrate compliance.

Experience tells us that IT implementations based upon ill-defined and amorphous specs often end poorly, yet the May deadline looms, and a strategy of inaction risks heavy sanctions as well as brand damage for the enterprise.

What to do?

For an answer, it is useful to step back and analyze the GDPR holistically, and from the standpoint of the EU leaders who drafted and enacted it in 2016. What were the overriding goals they sought to achieve through this legislation? In terms of privacy protection for their EU constituents, what are the most important long-term outcomes that will act to make this regulation an unqualified success for regulators and a privacy win for EU citizens?

First, look at the negative pronouncements in the GDPR. The framers explicitly sought to eliminate the common practice of citizens having to give up personal information without first being properly informed (see Article 12). They explicitly sought to eliminate the reality of citizens left without effective and informed choice (Article 7). And they sought to eliminate data controllers and processors acting without appropriate permission, leaving citizens with no control as their personal data was transferred to third parties and beyond (Rec. 32).    

On the positive side, they created new standards for defining, obtaining, and maintaining consent (Articles 4,6); codified a number of new individual privacy rights for citizens; and mandated that citizens be advised of those rights on a regular and fully visible basis (Articles 12-21).

There is a common thread running through each of these initiatives. These new GDPR mandates all imply a bidirectional conversation or “touch-point dialogue” between enterprise and user. No longer can an inscrutable privacy policy and a pre-ticked “I Agree” box serve as adequate permission for processing personal information. No longer is personal information gathering “the sound of one hand clapping.” Now the user has a seat at the table and can participate as an active party in the PI exchange.  

So, what can IT do today as the compliance deadline approaches?

I believe implementing a touch-point dialogue structure at the enterprise’s public-facing personal data ingress contact points is a practical, essential and initial step for implementing and demonstrating GDPR compliance. Implementing such dialogue capability publicly demonstrates solid commitment to the spirit of the Regulation, while putting the framework into place for expanding and optimizing the enterprise’s compliant UI/UX as guidance and codes of conduct become better defined over time. It signals publicly that the enterprise cares about citizens’ privacy and is reaching out as a best practice to build user trust.

Some boxes to check either with an internal or external solution might include: compliant transparency and notice support; an application programming interface to facilitate integration with existing enterprise infrastructure; full Article 6 processing flexibility; comprehensive consent flow support; rights presentation and negotiation support; user and administrative dashboarding; dialogue-event logging; and DPO/DPA accountability reporting.

Privacy and IT teams will have to work together to create that dialogue framework, whether through some kind of internal development effort or through engagement with a commercial vendor. Luckily, as we've seen, the privacy technology market is exploding with options. A thorough scan of the marketplace should uncover some ways for accomplishing this goal relatively quickly if there is budget available. 

photo credit: William Hook iPhone X - Notch via photopin (license)


If you want to comment on this post, you need to login.

  • comment Pascale Tardif • Jan 17, 2018
    Dale, you are right. There is lots of work for IT professionals in the pipeline. Software requirements for the design of new software is the tip of the iceberg and the first challenge. Legacy software, databases, and operational procedures such as backup procedures should also be on our lists.
  • comment Piotr Foitzik • Jan 18, 2018
    Dale, it is a great article, and I fully agree that it is useful to consider 'overriding goals they sought to achieve through this legislation'. I think we will see a proliferation of all sort of privacy dashboards soon.
  • comment Remy Lang • Jan 22, 2018
    Hi Dale, thank you for this PoV. Maybe you can help me understand the following. I'm wondering how/where you see the flexibility in the "full Article 6 processing flexibility" you mentioned. Article 6 GDPR seems to me quite "rigid": you either have one or more of the principles available for your processing, or your processing is not lawful. And secondary processing can only be lawful 'if'. I'm not sure where I can find the flexibility you mention.
  • comment Remy Lang • Jan 22, 2018
    One other question re the "rights presentation and negotiation support." I just don't understand what you're trying to say here, particularly the negotiation support part. :) What does it mean to you and how do you see it implemented? Thank you for taking the time to write this article and responding to these questions.
  • comment Dale Smith • Jan 23, 2018
    Mr. Lang:
    My apologies for the confusion in my post.  My first sentence "From an IT technician's point of view ... " is the key.  I am a techie, and I am referring to a real-world consent management solution.  The Article 6 flexibility I refer to is the flexibility of a robust solution (which I describe generically in paragraphs 11 and 12) to support an effective touchpoint dialogue without regard to which of the six bases for processing is used by the enterprise.  
    Regardless of which of the six is chosen, the obligation is always there to present individual rights and support a dialogue between user and enterprise around their exercise (I used the term "negotiation").
    If you wish to discuss offline, I can be more specific.  Thanks for your interest and comment..
    Dale Smith, CIPT