Consent Governance: Moving From Process to Purpose via Data Intelligence
As the dust clears since the EU GDPR came into effect, and most companies come to terms with managing their consent collection processes, many are increasingly finding themselves struggling with how to transition those consent agreements into a practical control for application processing and data holders.
Much of the focus around consent has been on the process for capturing and storing consent to serve baseline compliance requirements for logging. Unfortunately, this has deflected attention away from the more fundamental privacy engineering questions related to the purpose for collecting the consents – how to map and correlate each data subject’s multiple consent agreements into a consolidated view and assess on an ongoing basis that the consents are valid and appropriate for data collection and processing.
Enter consent governance: extending our unique capability to understand what data is associated with which specific data subjects, BigID will enable companies to perform, by data subject and per attribute, inspection of data processing for consent compliance.
Our first step in operationalizing the purpose of consent is to provide a data subject centered view of all consent agreements that are captured through multiple applications and sources. Our ultimate goal is to transform consent from a legal (and isolated) artifact into a practical and auditable data privacy control that is integral to privacy-by-design (PbD).
Dude, Where’s My Consent?
The focus of many organizations as they first began preparing for compliance with the General Data Protection Regulation (GDPR) was to get customers and consumers to provide their consent. This was evidenced by the flurry of provider emails sent in a panic ahead of the deadline.
But once consent has been collected, and logged, what next? The number of consent management products that essentially act as databases for consent agreements and preferences has proliferated in response to GDPR. These tools are typically siloed, and enterprises may be collecting multiple instances of consent for a single data subject, whether consent to use cookies and other online tracking devices under E-Privacy requirements, from multiple mobile or Web apps, or a plethora of connected devices.
Under the California Consumer Privacy Act that comes into effect in 2020, enterprises covered by the law will still have to capture the opt-out decisions and align those preferences with actual processing actions – even if the law does not eventually incorporate an equivalent requirement for explicit consent along the lines of GDPR.
The existing approaches to consent capture pose several challenges to organizations when they try to operationalize it and integrate the preferences and conditions with data processing and transfer decisions:
There are a number of challenges that existing approaches have in operationalizing consent and integrating consent preferences and conditions with data processing and transfer decisions.
• Consent Chaos
• Consent is collected from multiple sources – with limited mechanisms to consolidate or aggregate multiple consent actions by the same data subject
• Consent Policy Assessment
• Privacy managers want to be able to centrally define and evaluate compliance policies against all correlated consent records
• Consent Validity
• Tools are focused on logging consent when it has been collected, but what about identifying applications where consent has not been collected, when consent was last collected and whether data use is consistent with consent conditions?
• DSAR and Processing Activity Reporting
• For operations and privacy teams, consent management does not provide a mechanism to integrate proof of consent into data subject access requests. This makes the process manual at best and increases the risk of noncompliance
• Consent Integration for Privacy by Design
• Developers need a programmatic mechanism to embed privacy policies for privacy by design, but there is no mechanism to integrate consent into their application models
Also, and perhaps more significant for the future of data privacy, these products and services are isolated from the actual data processing and related compliance activities.
Consent Governance – Putting Purpose into Focus
BigID already provides the ability to perform checks for consent logs in consent management systems, and integrate the purpose of use information with our data inventory, Records of Processing Activity for GDPR Article 30 documentation and data subject access requests reports.
As our first consent governance capability, we will now be introducing a consent governance console that is designed to deliver a “per data subject” view into consent collection, status, and validity. By correlating consents captured at different times by different applications of different scope to an individual data subject, privacy teams and IT will now have a tool to manage, validate and report on the state of consent policies across data subjects and consent sources.
This capability extends our existing ability to address GDPR requirements for data subject rights through integrated reporting on when and how consent was captured for specific data collection actions by the data subject. Also, consumers can use this individualized and consolidated proactively flag if applications are collecting data without a valid consent agreement. Plus, this correlated view also allows us to identify where consent has been withdrawn, and data should be removed.
Similarly, by integrating consent governance with our data-first mapping of process flows across connected data sources, we can identify and document per application consent for GDPR Article 30 Records or Processing Activity and flag where consent is out of date, inconsistent with the stated purpose, or is simply not being captured.
With BigID’s new consent governance capabilities, organizations gain:
Proactive Compliance Monitoring and Policies
• Identify applications not collecting consent
• Identify data subjects whose consent is not valid, up-to-date and consistent with the purpose of use
Consent Expiry Inspection
• Find all records of data subjects with overdue consent
Data Subject Access Request
• Provide proof of consent
• Compare consent to actual purposes of use, and if purposes don’t match consent in the privacy policy
Data Mapping / ROPA
• Consent collection evidence by application
• Alert on discrepancies and initiate remediation workflow
The Future of Consent Governance
When we move from the process of collecting consent to the purpose of validating consent, it will mean that consent agreement itself also constitutes a record of what specific attributes the data subject has agreed to share, and what specific actions they have allowed to be performed on the data. As the nature of consent agreements evolve to incorporate these explicit logical parameters, so too will our ability to provide granular insights on whether individual actions on individual attributes for individual data subjects is consistent with consent parameters.
In tandem, BigID intends to deliver the foundation for consent to become a living and breathing set of constraints and input for the development lifecycle through a set of APIs and privacy policy SDK for integration of consent analysis into the applications and the data pipelines.
These initial capabilities that will be further elaborated in forthcoming releases will enable organizations to move beyond consent collection to consent governance, a consolidated approach to programmatic, machine-based by data subject and per record/attribute inspection of processing for consent compliance.