When we talk about consent management for GDPR we quickly come to the notion of “consent for a purpose”. It might have been sufficient in the past to provide a form with a single generic consent check box and store the fact that consent was given or not. But nowadays consent is per purpose and rather specific, might change over time and applies to a single type of interaction or channel.
In GDPR this is also known as explicit consent. Such explicit consent is given for a specific purpose and might only affect a portion of the personal data collected and stored. But in most IT systems, a thing like “purpose” does not exist. IT systems provide access control, process automation and ways to quickly reuse and adjust business processes, but do not know about the intended purpose of each and every transaction.
Modeling challenge
This imposes a modeling challenge when it comes to ensuring compliance with GDPR, because GDPR requires the data processor to document all the personal data of a person along with how it is used and the specific consent given by the individual. The difficulty is to link the purpose based consent given by an individual with his personal data.
In many organizations sensitive data is collected and stored in different IT systems and it is protected through role based access and other application specific features like encryption. Data usage policies exist in some documented forms and define business process usage, who can access the data and the type of security applied to it. Consent information can come from legal documents or may be stored in IT systems. But both, consent information and data usage policies tent to be not linked to the personal data itself.
Sounds trivial but in fact isn’t. Even an average size organization runs a multitude of applications across many different channels and locations. The challenge is not only the activity to collect all personal data from these sources, but also the exercise to map all personal data to the specific consent(s) given in the past. A successful data protection program requires both: the personal data and the related specific consent combined. With linked information organization can easily provide an audit trail of how personal data is used versus the consent given for the respective purpose.
Providing a complete picture
SAS proposes an approach that links consent information with data usage policies and personal data to provide a complete picture of personal information and its usage. Bringing the three elements together eases not only compliance reporting, but also allows organizations to base their marketing campaigns and other channel activities on the specific consent given by every individual.
To find and link the information from the various sources, SAS provides a step by step process along with tools and technology that help organization achieving compliance for GDPR. With this SAS® for Personal Data Protection companies can immediately start managing and storing its data usage policies transparently and collaboratively in a web based application. This is one step towards GDPR compliance and is the starting point for any personal data governance.
Besides serving as a library for personal data usage policies the solution supports continuous maintenance of policies and might also incorporate general data policies or serve as a central instance for workflow driven incident management for personal data. To truly manage personal data, these data usage policies are to be linked with information about the data sources.
Secret recipe to make data protection officers happy
SAS® for Personal Data Protection can find personal data in many data sources by using its parsing, matching and identification capabilities to identify which sources contain sensitive personal information. A process systematically scans data sources and categorizes all personal data within the IT infrastructure to create a catalogue of personal data and where it is stored. The identified personal data elements are mapped to the appropriate personal data type and the data usage policies applicable.
Finally, consent information needs to be brought into the picture. SAS® for Personal Data Protection combines consent information and personal data in a single data model and provides a data model template to store personal data records alongside it consent information including its historic changes. The data model is ready to use for generic personal data, but is flexible to be tailored to individual industry or customer specific needs.
With the ability to connect to any data source and the use of prepackaged logic and rules to systematically identify personal, data usage policy management and a prepackaged data model that include consent information and personal data, life of a data protection officer can be much easier.
Learn more about how to comply with the new EU Data Protection Regulation