On May 25, 2018 the EU General Data Protection Regulation (GDPR) takes effect, a major milestone leading companies around the globe to now rethink how they collect and use customer data. This blog explains how Consent Lifecycle Management can help you achieve compliance for this new regulation.
The GDPR is a new regulation put in place by the European Union to protect the data and privacy of its residents. It has global impact as it applies to any company collecting data of EU residents, regardless of where on the planet (inside or outside the EU) the company actually collects that data.
Some of the most challenging requirements of the GDPR are around the need to collect consent from end users before obtaining and transferring their personal data. While consent already is a requirement today under current EU law (as well as many non-EU regulations), it is important to understand that the GDPR requires affirmative, and in some cases, explicit, consent with dramatic impact for many organizations. While I will focus on the GDPR, other examples of regulations that significantly extend consent collection requirements include the EU's Payment Services Directive (PSD2) and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).
Moving From Implicit to Explicit, Purpose-Bound Consent
Today, many companies rely on implicit and "opt-out" consent when collecting personal data from their customers -- for example, we all are very familiar with pre-checked boxes on registration forms. This practice of collecting implicit consent will no longer be allowed under the GDPR, which requires consent by the user signaling agreement by "a statement or a clear affirmative action."
It might not be obvious at first glance how impactful these changes are for enterprises. For example, if you collect data from your customers (on your websites, smartphone apps, or any other form of digital property) and you ask for their consent by using pre-checked boxes or dialog forms that "imply" consent just by filling them out or hitting a button, then you will have to redesign those in order to be compliant with the GDPR.
Let's take that example one step further -- if your customer database today contains data that was collected via implicit consent, the GDPR doesn't allow your existing non-complying data to be "grandfathered in". You will have to request consent from your customers again, but this time in a fashion that complies with the GDPR.
But that's not all. The GDPR not only requires explicit consent before collecting sensitive personal data, but also limits that data collection to "specified, explicit and legitimate purposes," and the data "must not be further processed in a manner that is incompatible with those purposes." (GDPR Art.5(1)(b))
In other words, you can no longer (for example) collect a full customer profile when people sign up to your website, and have your sign-up form ask for everything such as name, address, age, gender and phone number. Collecting personal data proactively just in case it might be needed to offer the user a service later on -- or just because it is useful to have this data for your own business and marketing purposes -- is no longer allowed. You can only collect data needed for a specific purpose, like a specific online service or to enable purchase transactions. An online service that sends reminders in the form of text messages to a customer's phone would be an example for a legitimate purpose to collect a customer's cell phone number, while requesting the phone number just to download a white paper is not.
On top of all that, the GDPR requests that customers must be enabled to view and modify their consent settings at any time. For example, somebody who consented to share their last name has to be able to go in at a later point in time and withdraw that permission. Needless to say, that change then needs to be reflected in the entire marketing automation stack and throughout all databases of the company. If your CRM has the last name removed, but your email automation system still sends out a personalized email using it, you are in violation of the GDPR.
Many businesses today look with great nervousness at the upcoming regulation, wondering how they can comply with the GDPR without negatively impacting the customer experience on their digital sites or ending up with CRM databases that are no longer usable after May 25, 2018. This, in fact, will render many of today's marketing campaigns illegal.
How an Identity Cloud Enables Proper Consent
The solution we provide to address these challenges is Consent Lifecycle Management, the newest member of the Akamai Identity Cloud, a cohesive set of cloud-based services for Customer Identity and Access Management (CIAM).
We specifically designed Consent Lifecycle Management to provide businesses the technology to obtain informed consent from their customers in ways that allow compliance with the GDPR or similarly sophisticated regulations. It does this by providing highly customizable fine-grained consent forms that can be invoked progressively per purpose, and that make it easy for end users to understand what data and what purposes they are providing explicit consent towards, as well as where they have opted out.
These forms can be set to appear whenever the context requires it -- say, if a customer has signed up to download a white paper and has provided their email address only, but is later signing up for a text message reminder service, a new form would be displayed to obtain the phone number. This progressive consent collection can be done on any form of digital property, from websites to mobile applications to Internet of Things (IoT) devices. The forms can also be used to ask existing customers in a non-disruptive way to reconfirm their consent, which allows you to "update" customer data that you collected prior to GDPR, and move this data into compliance.
End-users can go back to their consent declarations at any time for review, validation, revocation, or other changes; similar to setting or revoking access permissions for third-party applications on mobile devices or social media sites. They can then also download this information as a PDF document.
Consent Lifecycle Management supports passing data between systems via an API that ensures your marketing automation stack and other internal systems are always updated with the current consent preferences of a customer.