GDPR : Consent is king.
The European General Data Protection Regulation or GDPR is coming and these days, everybody is talking about consent.
The European Union is very keen on protecting its citizens from companies’ wrongdoing. As the digital economy keeps developing, personal data has become a very valuable resource for marketing and sales departments. The more you know about you customers, the more you are able to adapt your products to their needs or to create your marketing campaigns in a way that will be heard and seen by most.
But the European view on personal data has always been different from the American view : the EU point of view favors the “personal” side of the expression whereas the US point of view focuses on “Data”.
Therefore, for the EU regulator personal data is property of the European user and the user must have control on it. This control is, of course, effective wherever the European user goes. The European regulation therefore applies to any company that may collect personal data from a European user.
Let’s get practical
Now, GDPR compliancy is mandatory on May 25th. The clock is ticking so let’s get practical. When speaking about GDPR, there are three types of businesses:
The Example-setters: fully prepared, they have been studying the regulation line by line. Some of us are like that, the whole company is already fully compliant: software has been updated, tested and pushed into production, teams have been briefed, people have followed trainings, a Data Protection Officer is appointed. Actually, for such businesses, GDPR is a settled topic.
The Rushers: Lack of time, resources or understanding, these companies are willing to get passed the deadline of May 25th, but they are running late and do not know exactly how to make sure they comply. If your business’ approach of GDPR is similar to this description, you are part of the majority. You have to know that time is running but you still can achieve a full compliancy or be on the right tracks by May 25th, which is paramount to avoid fines.
The Slackers: With a very laid back approach, a few companies are in a wait-and-see position. This is a bold strategy as the European regulatory bodies have already expressed their lack of understanding for companies that won’t have made anything to comply with the regulation.
Where do you think your company sits? If you are among the few that are already compliant, you have earned our congratulations: the journey was not that easy for early adopters ! One advice if we may: check your position one last time before May 25th. Just in case : you may have missed something.
If you company’s position lies in one of the two other cases, you will be interested by the following data.
The consent principles.
GDPR compliancy is a journey with many steps, but we can summarize it with a few principles.
First, you need to get the explicit consent of your audience before you collect any personal data. This iron rule has two major consequences:
- Consent must be explicit : an opt-out system does not fit the requirement. If you collecting feature begins with an opt-out, you need to reverse it into an opt-in.
- It is still allowed to collect data - without any consent - that cannot be linked to an individual
The consent collection needs to be on all data sources : it needs to be on any page of your web site where personal data is collected. It also needs to be on the mobile version of your website, your app and so on.
It also needs to be stored in your Data lake : you must be able to prove you get the consent of any individual.
Second, any European citizen has the right to revoke one’s consent and ask you to delete its personal data, no questions asked. The feature needs to be accessible, simple, effective, following two rules :
- All personal data must be deleted
- All data that cannot be linked to any individual can stay
Of course a full GDPR-compliancy encompasses a wider range of topics and modifications in your digital environment but concerning a consent management, you will be on right tracks if your system is compliant with the general principles listed above.
Of course, we have some in-depth knowledge about a consent management compliant with GDPR : Jahia is a swiss-based company, working for several European organizations. We have to comply ourselves to GDPR compliant and we have also created GDPR compliant software for our clients. We have developed a Consent Manager as well as a Privacy Manager, embedded in our A/B testing and personalization solution. It takes care of all aspects of the consent collection feature and personal data management in a Jahia based website. Feel free to contact us for more information!