How do you manage consent for GDPR?


When we talk about consent management for GDPR we quickly come to the notion of “consent for a purpose”. It might have been sufficient in the past to provide a form with a single generic consent check box and store the fact that consent was given or not. But nowadays consent is per purpose and rather specific, might change over time and applies to a single type of interaction or channel.

In GDPR this is also known as explicit consent. Such explicit consent is given for a specific purpose and might only affect a portion of the personal data collected and stored. But in most IT systems, a thing like “purpose” does not exist. IT systems provide access control, process automation and ways to quickly reuse and adjust business processes, but do not know about the intended purpose of each and every transaction.


Modeling challenge

This imposes a modeling challenge when it comes to ensuring compliance with GDPR, because GDPR requires the data processor to document all the personal data of a person along with how it is used and the specific consent given by the individual. The difficulty is to link the purpose based consent given by an individual with his personal data.

In many organizations sensitive data is collected and stored in different IT systems and it is protected through role based access and other application specific features like encryption. Data usage policies exist in some documented forms and define business process usage, who can access the data and the type of security applied to it. Consent information can come from legal documents or may be stored in IT systems. But both, consent information and data usage policies tent to be not linked to the personal data itself.

Sounds trivial but in fact isn’t. Even an average size organization runs a multitude of applications across many different channels and locations. The challenge is not only the activity to collect all personal data from these sources, but also the exercise to map all personal data to the specific consent(s) given in the past. A successful data protection program requires both: the personal data and the related specific consent combined. With linked information organization can easily provide an audit trail of how personal data is used versus the consent given for the respective purpose.

Providing a complete picture

SAS proposes an approach that links consent information with data usage policies and personal data to provide a complete picture of personal information and its usage. Bringing the three elements together eases not only compliance reporting, but also allows organizations to base their marketing campaigns and other channel activities on the specific consent given by every individual.

To find and link the information from the various sources, SAS provides a step by step process along with tools and technology that help organization achieving compliance for GDPR.  With this SAS® for Personal Data Protection companies can immediately start managing and storing its data usage policies transparently and collaboratively in a web based application. This is one step towards GDPR compliance and is the starting point for any personal data governance.

Besides serving as a library for personal data usage policies the solution supports continuous maintenance of policies and might also incorporate general data policies or serve as a central instance for workflow driven incident management for personal data. To truly manage personal data, these data usage policies are to be linked with information about the data sources.

Secret recipe to make data protection officers happy

SAS® for Personal Data Protection can find personal data in many data sources by using its parsing, matching and identification capabilities to identify which sources contain sensitive personal information. A process systematically scans data sources and categorizes all personal data within the IT infrastructure to create a catalogue of personal data and where it is stored. The identified personal data elements are mapped to the appropriate personal data type and the data usage policies applicable.

Finally, consent information needs to be brought into the picture. SAS® for Personal Data Protection combines consent information and personal data in a single data model and provides a data model template to store personal data records alongside it consent information including its historic changes. The data model is ready to use for generic personal data, but is flexible to be tailored to individual industry or customer specific needs.

With the ability to connect to any data source and the use of prepackaged logic and rules to systematically identify personal, data usage policy management and a prepackaged data model that include consent information and personal data, life of a data protection officer can be much easier.

Learn more about how to comply with the new EU Data Protection Regulation


About Author

Helmut Plinke

Principal Business Solutions Manager

Helmut Plinke acts as Principal Business Solutions Manager for SAS, focusing on data quality and data governance technologies. Helmut is an enthusiast of data quality technologies to improve fitness of data and thereby help businesses to improve efficiency and gain competitive advantages. In his current role Helmut supports customers in designing enterprise data management solutions based on SAS technology. He is a specialist in data quality and data integration technologies for a long time now and has been part of some of the major SAS data quality and data governance projects in DACH and the Netherlands recently. With over 15 years of experience across multiple industries Helmut has also gained a wealth of knowledge and experience in technologies like business intelligence, content management and enterprise application integration from his past roles with other companies. Helmut has published in IS Report and speaks about the topic of data management at SAS and public conferences sharing his project experience and knowledge.

Leave A Reply

Back to Top