Permission Impossible?

I recently took part in a training event for local council whereby for the last 2 years they have put on an ‘Information Awareness’ week for their staff that involves various training sessions all week revolving around a certain theme. Last year the sessions revolved around the theme of game shows and this year the theme is films.

I was lucky enough to draw ‘Per-mission Impossible’ which would be looking at the subject of consent & permissions in their various forms. I make a point of not naming organisations I work with, credit for the title of this blog must go to them.

We had some really interesting discussions around what people believe are the current pitfalls and benefits with consent and what people think to the proposed new world of consent as proposed by the European Union (EU).

We started with the current world and looked at the guidance from the ICO. Currently, in the ICO’s Guide to Data Protection it states;

“Consent is not defined in the Data Protection Act. However, the European Data Protection Directive (to which the Act gives effect) defines an individual’s consent as: …any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”

This is primarily aimed at controllers that are looking to use consent as a justification for processing of personal data, especially and more explicitly where that data is sensitive in nature.

Bearing this in mind there is then a conversation to be had around what that actually means in the real world. You know, that world where you have a data subject on the phone or sat in front of you more interested in resolving their query or issue than understanding what is happening with their personal data. Personally for me, I’ve always seen the matter of consents and permissions as a Customer Service area. Yes, there are things that we must do as part of compliance and demonstrate as part of out compliance however the method and delivery should very much be aligned with the customer service standards and processes of the organisation. As the phrase goes “tax doesn’t have to be taxing” well “permissions don’t have to be a mission”. (I know, it was the best I could come up with on short notice).

If you treat the gaining and subsequent management of permissions as a “compliance task” then that mind-set will always see it as a nightmare and a hurdle to overcome. However if you approach it as you would any other aspect of customer service and apply good customer service principles you will get much closer to a compliant permissions model. It also puts you in something of a good position for the future.

Another aspect of the discussion around permissions and consent management also invoice the question of how to effectively manage a consent or permission regardless of the channel in which it is being obtained.

Regardless of the channel in which you communicate with the data subject the only effective method for tracking consents / permissions is an electronic database that either forms part of or interacts with your main customer database. But with that comes a series of concerns around ensuring that this system is kept relevant and up to date. For example, in a large organisation where a customer speaks to some random part of the organisation and expresses a preference how do you ensure that the preference is captured and updated accordingly?

These are valuable discussions to be had now because, as I run through below, the requirement to effectively and clearly demonstrate that you are doing the above becomes more important when the EU Data Protection Regulation comes in.

Permissions of the Future: All roads lead to explicit…?

So in my last blog post I gave an update on the General Data Protection Regulation and said that I’d start to focus on individual parts. Well this is the first one and apologies it’s taken me a while.

In the Commission’s proposal for a new General Data Protection Regulation, it proposed that whenever a business relies on consent as a valid ground for processing personal data, that consent should be ‘explicitly’ given. This changes the current position where consent only needs to be ‘explicit’ where a business wants to rely on it as a basis for processing sensitive personal data. Put simply, for processing for marketing purposes for example (which is almost always on the basis of consent) everyone will be required to “opt in” rather than opt out under the current regime (for phone and post at least).

References:
European Commission Regulation Text
CH I ART 4: General Provisions – definitions (8),
CH II ART 6: Principles – lawfulness of processing (a),
CH II ART 7: Principles – Conditions for consent (1-4)

When the draft text made it through the European Parliament the Parliament gave its backing to the new definition of ‘consent’ suggested by the Commission. It too believed that consent needs to be “freely given specific, informed and explicit” and provided “either by a statement or by a clear affirmative action”. And, in contrast to today’s requirements, the burden of demonstrating that the legal standard of ‘consent’ has been achieved would lie with organisations.

References:
European Parliament Regulation Text
CH I ART 4: General Provisions – definitions (8),
CH II ART 6: Principles – lawfulness of processing (a),
CH II ART 7: Principles – Conditions for consent (2)

In contrast, the Council said there was broad support for rules which would require organisations seeking to rely on consent to process personal data to ensure that the consent is “unambiguous”. This seems to back the broad legal standard for consent that exists under current EU data protection laws and not a radical change to explicit consent regardless of context.

References:
European Council Regulation Text Comparison (so far)
CH I ART 4: General Provisions – definitions,
CH II ART 6: Principles – lawfulness of processing (a),
CH II ART 7: Principles – Conditions for consent (1)

This post doesn’t explore the requirements around children’s data however the principle of “informed and explicit” consent is replicated there. That will be the subject of a different post so watch this space.

Which of these texts is likely to survive I hear you ask? Well like most things in the world of politics that is unclear. However if you look at it from a numbers point of view then 2 of the 3 approving bodies favor explicit consent and a requirement to demonstrate when and where that consent was collected. If I was a betting man I’d say that some shift towards explicit consent is going to happen, but how far is anybody’s guess.

More importantly we should be looking at how we currently manage and capture consents today. If this is something that we don’t do (for whatever reason) then its start looking at how this can be factored into your processes and staff trained so it gets woven into your customer service standards.

Advertisements