When the team at PactSafe examined the EU General Data Protection Regulation 18 months ago, they took a look at what the rules were mandating around consent and discovered an interesting opportunity. The company’s platform, they realized, which had been used to collect electronic signatures and track the acceptance of online contacts, would be a helpful tool to help organizations gather and track consent under the GDPR.
This is what ultimately lead to the creation of the PactSafe Consent Management platform.
PactSafe Legal Solutions Consultant Kyle Robbins spoke with Privacy Tech about the creation of the platform and provided a demo on the inner workings of their GDPR solution.
The platform has been designed to sit on top of a company’s existing tools. During the demo, Robbins created an account on a website’s page and agreed to its privacy policy. From there, Robbins went to PactSafe's consent management dashboard, where users have their own profile. Data controllers and processors can then see when that user agreed to the policy and which version they agreed to.
Organizations using the dashboard can then put all of that information into one document.
“What we create is an electronic record of consent. What we create is a summary of those policies or statements whatever they may be and then we basically show how they opted in, where they opted in, what the collection methods were, what jurisdiction they are in, and that can either be browser automated or you can select a jurisdiction,” said Robbins.
Within the dashboard is the contract library, where companies can see each version of their privacy policies, including how long they were in effect and the date each version was created. The dashboard gives its users the chance to view different analytics, including opt-in and opt-out rates for a given day and for each iteration of the policy. Users can also see each of the pages on the internet where their privacy policies currently reside.
[caption id="attachment_264943" align="aligncenter" width="800"] The PactSafe Consent Management dashboard[/caption]If an organization needs to make a change to their privacy policy, they can make the edits within the policy and update it to each one of those pages holding the policy. Within the data subject’s profile, if they have not agreed to the latest version of the policy, the platform will say so by placing a red dot on top of the new policy. The next time they log in, the API will require them to reaccept the policy. Once they do, a green light will appear, meaning they are fully up to date.
“Any place that we detect a user is returning, instead of presenting them with the ability to re-consent, we can show them language that says they have already opted into this privacy policy, and give them the ability to opt out by sending them to our legal center,” said Robbins. “Most organizations don’t want to do that, but it’s a best practice and encouraged under the GDPR to make it as easy to opt out as it is to opt in.”
Robbins described PactSafe as a product-first company, and he believes that approach, plus their background creating similar solutions in the past, puts his company ahead of the game compared to other GDPR solutions.
One aspect Robbins points to is usability, calling the consent management platform system-agnostic.
Robbins said PactSafe’s commitment to a singular aspect of the rules allows it to avoid the problems its customers say about other GDPR solutions. In conversations with their clients, Robbins said a common complaint is that “all-in-one” GDPR providers often force them to go down one road for compliance, when it reality, those efforts need to be far more versatile.
Robbins said PactSafe’s commitment to a singular aspect of the rules allows it to avoid the problems its customers say about other GDPR solutions. In conversations with their clients, Robbins said a common complaint is that “all-in-one” GDPR providers often force them to go down one road for compliance, when it reality, those efforts need to be far more versatile.
“We’ve tried to be flexible. A lot of problems that we have seen with GDPR products is actually at the integration point. A lot of these solutions aren’t sure how to get in there and integrate,” said Robbins. “They do too many things. PactSafe is focusing on doing one thing and doing it well, and it is consent. We are very API driven, which means if you don’t like our UI elements, you don’t have to use them.”
[caption id="attachment_264944" align="aligncenter" width="800"] The contract library within the platform.[/caption]While Robbins said he considers himself and PactSafe to be well-versed in the GDPR, he acknowledges they did not get there overnight. The company got to where they are today by seeking out help.
“We are all working in a vacuum here. No one knows exactly how GDPR is going to be interpreted. We all just have the best guidance that has been handed to us. We try to seek out the best resources we possibly could,” said Robbins. “We talked to GDPR consultants that are outside of our house. Then we really just reached across a wide breadth of knowledge to understand how we can help our customers interpret this best.”
With the GDPR implementation date right around the corner, Robbins said PactSafe will be paying attention to the first 60-to-90 days following May 25 to see how regulators act, and how their customers respond, before making any tweaks to their platform. One of the goals for PactSafe is to help their customers implement the platform faster than the 14 days it normally takes.
Robbins knows companies will be panicked after May 25 passes, but he and his company will have their ears to the ground, ready for whatever comes next.