When we talk about consent management for the EU’s General Data Protection Regulation (GDPR), one of the key considerations is “consent for a purpose.” It might have been sufficient in the past to provide a form with a single generic consent check box and store the fact that consent was given or not. But under the GDPR, consent is per purpose, specific, might change over time and applies to a single type of interaction or channel. In GDPR terms, this is also known as “explicit consent.” Such explicit consent is given for a specific purpose — and might only affect a portion of the personal data collected and stored.
Unfortunately, in most IT systems, a way to account for and track purpose does not exist. IT systems provide access control, process automation and ways to quickly reuse and adjust business processes, but aren’t smart enough to know the intended purpose of each and every transaction.
It’s a huge modeling challenge when it comes to ensuring compliance with GDPR because GDPR requires the data processor to document all the PII (personally identifiable information) in his organization, along with how it’s used and the specific consent given by the individual.
The difficulty is linking the purpose-based consent given by an individual with his personal data. That may sound trivial, but it isn’t.
Even an average size organization runs a multitude of applications across many different channels and locations. The challenge is not only collecting all personal data from these sources, but also mapping all personal data to the specific consent(s) given in the past.
A successful data protection program requires both the personal data and the related specific consent combined. With linked information, organizations can easily provide an audit trail of how personal data is used versus the consent given for the respective purpose.
In many organization the situation is like this: Sensitive data is collected and stored in different IT systems, and it’s protected through role-based access and other application specific features like encryption. Data usage policies exist and are documented, defining business process usage, who can access the data and the type of security applied to it. Consent information can come from legal documents or may be stored in IT systems. But consent information and data usage policies are not typically linked to the personal data itself.
A different approach
SAS proposes an approach that links consent information with data usage policies and personal data to provide a complete picture of personal information and its usage. Bringing the three elements together eases not only compliance reporting, but also allows organizations to base their marketing campaigns and other channel activities on the specific consent given by every individual.
To find and link the information from the various sources, SAS provides a step-by-step process along with tools and technology that help organization achieve compliance for GDPR.
With SAS® for Personal Data Protection, companies can immediately start managing and storing its data usage policies transparently and collaboratively in a web-based application. This is one step towards GDPR compliance, and is the starting point for any personal data governance.
Besides serving as a library for personal data usage policies, the solution supports continuous maintenance of policies and might also incorporate general data policies or serve as a central instance for workflow driven incident management for personal data.
To truly manage personal data, these data usage policies must be linked with information about the data sources. SAS® for Personal Data Protection can find personal data in many data sources. The solution uses its parsing, matching and identification capabilities to identify which sources contain sensitive personal information. A process systematically scans data sources and categorizes all personal data within the IT infrastructure to create a catalogue of personal data and where it’s stored. The identified personal data elements are mapped by SAS to the appropriate personal data type and the data usage policies applicable.
Finally, consent information needs to be brought into the picture. SAS® for Personal Data Protection combines consent information and PII in a single data model, and provides a data model template to store personal data records alongside it consent information including its historic changes.
The data model is ready to use for generic personal data, but is flexible so that it can be tailored to individual industry or business needs. Using SAS® for Personal Data Protection tools and pre-packaged services are your answer to linking PII records with consent information and usage policy.
With the ability to connect to any data source and the use of prepackaged logic and rules to systematically identify personal, data usage policy management and a prepackaged data model that include consent information and PII, life for data protection officers can be much easier.
Learn how to comply with the new EU Data Protection Regulation by downloading this GDPR report.