So, with just one week to go before GDPR enforcement begins, what is your attitude towards your customers and their potential to exercise newly-granted or enhanced rights over their data? If you have really understood the intention of the Regulation and also heard the mood music among the general public, then Friday 25th May 2018 should be when you choose to walk down the aisle in a new and promising union.
As Peter Galdies, director of DQM GRC, says: “The opportunity is to create new, open, honest and transparent methods of collecting and using data which in turn will build stronger, more loyal relationships with customers.”
Like any relationship, this one is going to need work, not least because of the presence of the Information Commissioner’s Office scrutinising how firms are responding to the new law. Rather like living with your new spouse’s parents after getting married, it will be a balance of being on your best behaviour and ensuring that your worst is kept well under control.
Just as wedding ceremonies are the public vows a couple makes in front of witnesses, so are privacy notices and the collection of consent in the context of data protection. Brands need to say what they mean and mean what they say.
"A message should be easily understandable for the average person and not only for lawyers.”
As Galdies explains, this involves some plain speaking: “When seeking consent, controllers should ensure that they use clear and plain language in all cases. This means a message should be easily understandable for the average person and not only for lawyers.”
Developing the relationship in keeping with those vows should be based on an understanding of what is being demanded. That is not easy, given the complexity of the law. There are 30 mandatory requirements in GDPR around consent and its management, ranging from delivery of a service even if consent is refused via requiring a clear affirmative action through to making withdrawal of consent as easy as granting it.
In addition, DQM GRC has identified 14 examples of best practice that organisations should consider adopting, such as using different treatments for differing audiences and ensuring that consent is capable of being refreshed rather than being viewed as once-for-all-time.
While much of the current focus around updating privacy notices has involved email (and direct mail), the primary interface with new customers will be the web site. In the online context, obtaining consent from internet users via their browser settings (as the forthcoming ePrivacy Regulation may mandate) is much discussed, not least because it could engineer-out some of the clunkier aspects of the process.
The risk of “click fatigue” is growing with consumers facing a blizzard of updated privacy notices.
If adopted as an approach (which may require industry-level standard and/or engineering development by the software vendors), such settings should be in line with the conditions for valid consent in the GDPR, for instance that the consent should be granular for each of the envisaged purposes and that the right information needs to be provided, such as name the data controller. That will probably require a more complex settings panels and set of sliders than are currently found inside the privacy panels of existing browsers.
As the risk of “click fatigue” grows with consumers facing a blizzard of updated privacy notices, it is to be hoped that novel methods will be developed, leveraging either behavioural insights to nudge consumers towards consent or via new technology that will make the process much slicker and frictionless.
But Galdies points out that this risk of consumers becoming “consent blind” is not an excuse for ducking the requirements put up by GDPR. That means that when layering privacy notices, for example, the implications of agreeing can not be buried several clicks down. “The data subject should be able to understand from information contained in the first layer what the consequences of the processing in question will be,” he says.
What this inevitably leads towards is the introduction of a privacy centre or consumer preference centre where the options are laid out and can be adjusted at any time by individual users. A privacy dashboard of this type is a single point from which data subjects can view privacy information and manage their privacy preferences by allowing or preventing their data from being used in certain ways by the service in question.
A privacy dashboard can make it easier for a privacy notice to be personalised.
This is particularly useful when the same service is used by data subjects on a variety of different devices as it gives them access to and control over their personal data no matter how they use the service. Allowing data subjects to manually adjust their privacy settings via a privacy dashboard can also make it easier for a privacy notice to be personalised by reflecting only the types of processing occurring for that particular data subject.
Incorporating a privacy dashboard into the existing architecture of a service (for example, by using the same design and branding as the rest of the service) is preferable because it will ensure that access and use of it will be intuitive and may help to encourage users to engage with this information, in the same way that they would with other aspects of the service. This can be an effective way of demonstrating that privacy information is a necessary and integral part of a service, rather than a lengthy list of legalese.
As brands stand up in front of the market to declare the terms on which they are committing to customers, those customers will in turn have some demands of their own, such as data access and the right to change their minds. As with any marriage, both parties need to enter into it with an honest intent and a clear understanding of what is involved.
This article is the ninth in a ten-week series by DataIQ in association with our GDPR partner, DQM GRC. For more information on the solutions it offers, visit dqmgrc.com.