Asking for permission isn’t just good manners any more. Securing and managing customer consent for the use and gathering of their private data will soon become standard operating procedure. Whether motivated by regulatory pressure or reputational risk, enterprises will need to give customers control over how their data gets used. Consent capture and management will be key to happy and loyal customers.
But while giving consent control over personal data may be good for business it’s not always easy in practice to apply to existing workflows. Today companies aren’t set up to either uniformly capture consent or apply consent preferences in governing personal data usage. For most companies, therefore, the road to implement consent in data governance is a journey, one that starts with consent capture and progresses to managing data in terms of consent preferences and mandates.
The New Data Governance Imperative
The concept of consent management is well established in the healthcare world where compliance requirements (such as HIPAA) mandate that patients be provided with a set of options to determine who will have access to their protected health information (PHI), for what purpose and under what circumstances.
While US regulators are more recent advocates of the ‘informed consent’ model, their counterparts in the EU have long focused on customers and consumers being presented with an explicit choice about whether they are comfortable with handing over their data and agreeing to be tracked.
Customer consent is also a matter of degree, rather than an all or nothing proposition. Increasingly, customers are asking for more granular consent options including:
- Have given explicit consent to store and process their personal data
- Have given explicit consent to a bounded and specific behavior tracking data set
- Have given explicit consent to sharing that data set with third parties
- Have given explicit consent to third parties to use the data in specific ways
The most visible example of the sea change in regulatory attitudes is the recently issued set of proposals from the FCC to to govern the use of how ISPs and cable providers treat personal data. The FCC proposal incorporates the assumption that certain amount of data is necessary for ISPs to provide services to their customers as well as bill them. However, the intention is for consumers to make an informed decision about what they are opting in to: how will their data get used, by whom, and how will it shared with external third parties.
Big Identity Data: Putting Consent into Practice
Ideally, the terms of consent should be transformed into a flag or data attribute that governs how customer data is processed, stored and managed throughout its lifecycle. Access permissions based on customer consent parameters could be keyed off a consent profile, data sensitivity could be scored differently based on whether it’s all-access or restricted-use, usage could be tracked and measured for compliance against EULAs and regulations.
If privacy monitoring is in place, organizations that track consent preferences can also better enforce how customer data gets accessed internally and provide insight into both history and data lineage. In turn, analytics engines can be fine-tuned in terms of what personal data they can consume, ensuring the integrity of a customer’s intent around how their personal information gets used.
Understanding personal data access, risk and usage compliance are key components of a customer data privacy management strategy. Consent should be an integral element of both tracking and enforcing privacy. Organizations are accumulating personal data at an unprecedented rate. Managing consent to personal data provides organizations with a powerful method for protecting a customer’s privacy.