Why would I need consent management?

TL;DR - By improving trust between you and your customers they will be happier to spend more with you.

blogpost hero image for Consent Management author David Patterson

I’m amazed how often I’m asked “why does anyone need consent management? Aren’t there other, more applicable legal bases for the processing of personal data?”

In many cases this is true. Consent should often be used as the basis of last resort. However, when no other legal basis is available; there is no legitimate interest or regulatory need for data processing, for example; consent is often the only way forward.

The experience of working with government agencies, large enterprises and smaller start-ups is that consent is still required in many circumstances.

A schoolchild sat at their desk, looking wistfully out of the window One example would be within the workplace. Commercial organisations are often able to rely on a contractual basis for the use and retention of personal information. For example, the activities required to ensure safety of their site or their employees are not applicable to GDPR. Employers do, however, carry out many activities that are considered non-essential, such as the use of their staff’s images in marketing their company.

Most of the employers that our partners have worked with have, through their Privacy Impact Assessment, identified dozens of cases where consent may be the best legal basis.

Consent management increases trust by providing choice and control.

A consent management tool enables an organisation to record the consent interactions that they have with their customers, employees and users. It allows those customers, employees and users to choose what they consent to, what purposes they accept and to control access to their personal data.

personal data

We all see consent slips on the bottom of contracts, at the t’s and c’s page of a website or even on the request slip for a child to attend trips with their school. There are some occasions where these consent requests are inappropriate. If you don’t have any real choice about whether you should consent, for example, then consent should not be used as the legal basis for data processing.

Once the purposes for the consent requests have been defined by the organisation, the customer can make an informed decision whether to grant consent. Ideally, that consent is then recorded and a consent receipt is issued that is standards-based and interoperable with other consent systems. One such set of standards has been proposed by the Kantara Initiative.

The record of consent is then able to be queried whenever that personal information is used. This means that the customer experience is improved and trust is created between the organisation and the customer.

It is this increase in trust that was designed to be the key benefit of GDPR. There is evidence that a lack of trust in use of personal data severely affects revenues and/or service levels. Maintaining or even improving this trust should have a positive effect on organisations.

Your organisation will likely conduct a privacy impact assessment (PIA). This can be completed in conjunction with your data protection officer, or by using a consultant data privacy expert. It enables you to identify the personal information requirements and the appropriate legal basis for recording or processing that information.

If consent is one of the bases you will use then the PIA should identify the consent requests you will need to make. You need to clearly define your data types & ensure that the purposes are clearly defined. This is your consent request.

Together, the consent requests and the purposes for making the requests are pre-requisites for a successful adoption of consent management software. You may also want to think about where in your customer’s interactions you will be asking for consent. Will you need to integrate with other 3rd party software?

For example, if you use a CRM system to manage your customer data, do you need that system to query whether you can record certain information about your customer? Do you need to consult the consent record before sending out marketing material?

Consent tickboxes and the Consentua logo If this article relates to your own situation, why not look at our own consent management software, Consentua. It is available now and ready to be deployed for your organisation today.

Send me an email at [email protected] if you want to see how Consentua can help you to improve trust with your customers.

Data Privacy Compliance, Is your business at risk?

a laptop with an eu GDPR logo on the screen. Demostrating data privacy compliance

Data Privacy Compliance is suddenly at the forefront of most company’s plans. Most businesses will be aware that the legislation has changed (and is still changing). Some will also be aware that the data protection authorities have begun to fine non-compliant organisations.

On the 25th of May 2018, the European Union introduced the General Data Protection Regulation (GDPR). It addresses how organisations use, store and process personal data. With almost a year passed since the introduction of GDPR, many businesses remain unaware of its implications.

Who enforces GDPR?

Each country has a data protection authority. In the UK it is the Information Commissioner’s Office (ICO) and it is not a job they take lightly.

According to a report published by DLA Piper(2019), in the 8 months since GDPR’s implementation, there were 59,430 breaches across Europe. In some countries, total reported infringements were as low as 15 and in others as high as 15,000. This demonstrates the varied attitude to data protection across Europe.

The lion’s share of the 59,430 enforcement cases came out of The Netherlands (15,400), Germany (12,600) & the UK (10,600). Businesses operating in these three countries must be particularly wary.

Data Privacy Compliance. What’s changed?

Before the 25th of May 2018, the number of infringements reported per month was around 350. Two months later this rose to 1,752. As dramatic as these figures appear, in the first months of GDPR there were very few fines.

Yet, it appears the grace period is over. In January 2019, Google had to swallow a €50 million fine for GDPR violations. This must serve as a wake-up call for all businesses that deal with their customer’s data.

Google office in California

The greatest fine possible for a GDPR breach, which is €20 Million or 4% of annual revenue. This is far greater than the largest fine afforded by the Data Protection Act (DPA), which was £500,000.

Who is most vulnerable?

It is not only the largest corporations who are being held accountable. A hospital in Portugal was recently fined €400,000 for a GDPR violation. In Germany, a small company called Kolibri Image was fined just £5,000. This illustrates that businesses of all sizes are at risk.

One of the six bases for processing personal data is consent. It will often be used where there is no contractual basis or legitimate interest.

The changes in rules around consent have been particularly challenging for businesses. The need to get freely given, specific, informed and unambiguous consent will often run counter to established business practices. Marketers, in particular, have a difficult time getting freely given consent

Can you be sure your whole organisation is compliant with GDPR’s rules on Consent? Why take the risk. To avoid a devastating fine, not to mention reputation damage, sign up for a free trial with Consentua and start your journey to compliance.

If you would like to start a free trial call 02392 160640 or contact us at https://consentua.com