GDPR offers new, great opportunities for data managers
We are only a few weeks away from the European Union’s General Data Protection Regulation (GDPR) coming into force. GDPR’s main objective, as stated by the European Commission, is to drive data protection excellence to reinforce consumer trust in the digital economy. This means giving the power back to the individual by allowing them to define precisely what may or may not be done with their personal data. «Data blank checks» will not be possible anymore.
The new regulation will change the way companies manage their data – and data managers will play a central role in its implementation. With its strong emphasis on transparency and consent, GDPR will offers, great opportunities for data managers to initiate and drive ambitious data governance projects and push for an overhaul of applications and data architectures. The regulation offers a strong compliance argument, which will make it easier for data managers to get management on board.
GDPR Capability Model by the CC CDQ
The GDPR Capability Model developed by the CC CDQ over the course of 2017 helps data managers identify areas for action and structure projects and initiatives. The model builds on a review and interpretation of legal texts, official guidelines, and industry practice reports. It was validated during break-out sessions and in bilateral projects. The model provides an action oriented view of capabilities that need to be built up and established in order to comply with GDPR’s set of requirements. The capabilities refer to both processes (e.g. handling access requests or documenting processing activities) and technical measures (e.g. data identification or data removal). They feature legal references and a description of implications, which data managers can use to communicate their ideas to a broader audience.
The model assists data managers also in identifying (re-)design areas and, with the help of a maturity assessment model (the development of which starts in March), monitoring progress. As we will continue to investigate the topic in 2018, we will be holding break-out sessions revolving around key concerns in implementing GDPR (e.g. consent management and data classification). The sessions will also feature best-practice presentations.
GDPR at a glance
GDPR requires from organizations to consistently document:
- the personal data they hold of their customers (i.e. the scope – e.g. list of recorded attributes),
- how the data was acquired (i.e. the origin – e.g. online form or e-mail),
- how it was and is processed (i.e. the modalities – e.g. advanced analytics),
- to what end it is processed (i.e. the purpose – e.g. targeted marketing),
- and who it is shared with (i.e. the transmission – e.g. third parties, such as cloud service providers).
This information must be available for disclosure to authorities (describing an organization’s overall data processing practices) and individuals (e.g. when exercising the right of access) alike and at any time.
Organizations must also overhaul the way they seek consent for processing personal data of their customers, and make sure that consent can be renewed or withdrawn. Consent requests must be presented separately from general agreements, use simple language (i.e. legal and technical terms must be avoided), and feature visuals/pictograms, if possible. Consent to non-essential processing activities must be proposed as granular, opt-in items (e.g. one unticked box per processing activity in the case of an online form). Finally, organizations must document when and how consent was given.
Consent obtained before GDPR’s coming into effect remains valid only if the organization can prove it was obtained in compliance with the aforementioned principles. In the specific case of digital marketing, the following alternatives should be considered:
- If newsletters are sent following a business transaction, and provided that opt-out mechanisms are in place, there is no need to refresh consent.
- In other cases (i.e. if consent was not obtained in accordance with GDPR’s principles or was not explicitly documented), it must be refreshed before sending any more newsletters.
In 2018, the CC CDQ will be working on selected aspects of GDPR that are particularly relevant from a data management perspective. The first aspect is consent management, which was discussed by the participants of the CC CDQ Workshop in a breakout session in February 2018.
GDPR aims at making sure that individuals always know about and stay in control of what is done to their personal data. This makes consent management one of the major data management capabilities for companies to develop. Two major aspects need to be considered:
- how to seek consent from individuals, and
- how to handle it.
GDPR requires from organizations to be transparent and specific in the way they seek consent from individuals. To do so, organizations must make sure they comply with three main principles (see also GDPR, recitals 25, 32, 39, 58, and article 7):
- Individuals must give their consent “explicitly”, “unambiguously” and “freely”. GDPR specifies that organizations must be able to demonstrate that individuals have given their consent by “a clear statement or affirmative act”. Organizations therefore must provide options for individuals to give their consent explicitly and unambiguously. This means that implicit consent (i.e., the individual remaining silent or inactive) is not sufficient anymore (see Figure 1). Opt-in is the rule; pre-ticked boxes or “select to opt-out” mechanisms are not considered valid consent. Furthermore, GDPR specifies that individuals must give their consent freely. Organizations may outline the benefits of consenting to specific data processing activities (e.g., location-aware services, personalized recommendations), but they are not allowed to coerce individuals to give their consent or offer any material or financial incentives (e.g., discounts, gifts) to elicit it.
- Consent must be "specific" and "informed". Organizations seeking consent from individuals must specify in a clear and understandable language (including illustrations, if possible) what they intend to do with the personal data. They must provide clear information regarding consent by using headings such as “what we do with your data” or “how we use your data”. This way, individuals get the chance to either give their approval or refuse to do so.
- Consent must be “clearly identifiable” and “concise”. If obtained through a written declaration (either electronically or on paper), consent must be displayed in a way that it can clearly be distinguished from other matters. Organizations are not allowed to integrate consent with their general terms and conditions.
Figure 1 - Doing it wrong
The online form presented in Figure 1 is problematic for two reasons:
- Although you may guess that this company will send you its current e-mail newsletter after entering your information and pressing the send button, this is not written anywhere. This is a textbook example of implicit consent, which under GDPR is no longer considered valid.
- The form also requests information about your job and your company. Such information, however, is not necessary at all to download something from the Internet. The company gives no explanation as to why it asks for this information and how it will be used.
The bottom line is: Using an online form like this one, the company will not be able to prove that an individual has actually given their explicit consent to anything whatsoever.
From a system perspective, consent details as specified by the individual must be recorded, updated, distributed and enforced. This is the logic behind the four consent-related capabilities specified by the CC CDQ in its GDPR Capability Model (see figure below):
- Implement consent items: To be recorded, consent items must at first be translated into machine-readable attributes. Seeking consent from individuals basically means asking them to answer yes-or-no questions regarding the processing of their personal data. Attributes should be recordable and correspond to each of the questions. While the technical implementation relates to systems and applications, the design of these yes-or-no questions should be handled at the business level. As GDPR requires from companies to thoroughly document all data processing activities, the definition of these consent items could be integrated in the documentation process.
- Collect consent instances: At the point of data collection, an organization must provide specific information on how it will process personal data. This information should be provided in accordance with the principles listed above.
- Distribute consent details: Organizations must make sure that consent details as specified by the individual are distributed to every system processing personal data. To keep track of the systems affected, the system and application landscape should continuously be documented.
- Enforce consent-compliant data processing: Consent details must be readable by back-end and front-end systems. For example, if a customer has opted-out of profiling and targeted marketing, analytics applications that plug into a CRM should be able to read the consent item expressing the opt-out, and skip that customer’s data when running.
Figure 2 - Consent-related capabilities
More information on the GDPR Capability Model is available in a detailed report, named “Data Protection from a Data Management Perspective – The Case of GDPR”. The report can be accessed by CC CDQ members 24/7 in the knowledge base.
Seeking and obtaining consent from individuals is a major prerequisite for processing personal data. However, regardless of consent given or not, processing of personal data may be justified by other legal obligations, a contract, or an organization’s legitimate interests. You can find useful information about the latter in the Data Protection Network’s “Legitimate Interest Guidance” document (pages 10 to 14 provide concrete examples).
For any inquiry, or if you would like to take part in one of our sessions, please contact Clément Labadie. We especially encourage our CC CDQ members to submit their «burning questions», which will be discussed in the break-out sessions