What will you do if your customers decide they do not want you to process their personal information? Do you put up a no entry sign around your digital estate and refuse admittance until they agree? Or are there alternative ways to lead individuals towards an acceptance that the data-value exchange on offer is fair, transparent and in their interests as well as yours?
The Information Commissioner’s Office is holding open consultations on how it will ultimately enforce GDPR rules on consent and has offered all parties until 31st March to comment. For commercial organsisations, the draft guidance already published indicates what the ultimate intention will be and establishes a scope for any GDPR programme. In particular, it makes three considerations essential:
Setting boundaries on legitimate interest - consent to data processing is not required if the business can show it needs to process personal data for a legitimate reason, which includes deriving a commercial benefit. Where this gets complicated is when the boundaries of that legitimate interest are hard to define. Consider an online publisher whose core activity is providing news and content, paid for by advertising revenues. A visitor may expect to see news headlines without providing any personal data, for example, yet without that data, targeting ads or personalising the content is not possible. So gaining consent by clearly explaining the business model - much as The Guardian and Channel 4 have done - opens the pathway for a consent-driven relationship where the exchange is clear. If your business model currently relies on keeping the commercial benefit hidden from data subjects while claiming legitimate interest, such as monetising their personal data through onward sharing, things will need to change.
Defining the third-party data chain - you don’t have to be a charity to be involved in sharing data with third parties. Virtually every website or app has a data chain built in, not all of which is visible to the first-party business, let alone the data subject. Ad networks and their trackers are a prime example. Currently, websites publish lists of the cookies which are dropped and often use the catch-all term “and other similar services”. GDPR both ingests cookies and the like as personal identifiable information and requires that all third parties are named. Mapping this data chain is not only challenging - deciding whether to include these parties in the first party consent or requiring them to win their own is a C-level decision.
Setting a time limit on consent - if consent has been obtained, it must be limited to the specific purpose. That means having a deletion policy and re-permissioning strategy. But firms also need to make consent as easy to withdraw as it was to grant. That is both a technical challenge and a threat to many processes - if you base a marketing strategy on the assumption of a certain volume of permissioned names only to discover that a percentage have changed their mind, it will cause problems. Brands will need to be in the market for consent on a perpetual basis to keep their customers onboard and their marketing on track.
These are significant challenges for many commercial organisations and hold a degree of difficulty for all. Providing the ICO with an insight now into what the impact of new rules on consent will be come next May could be the best way to spend the next two weeks.