by Christian Ward
Bookmark

GDPR and The Common Use Case of Consent

So many stories on GDPR. The typical blog post highlights all the myths out there about the regulations and how it will ultimately affect us. But, when you leave out the scare tactics, what are the common use cases for each of us? Individually, does GDPR affect the everyday person?

Absolutely.


GDPR is the General Data Protection Regulation and while it affects EU Countries, it realistically has a much larger scope in practice because companies that do business in the EU are subject to it. Further, I would argue that this has even more reach as it pertains to businesses trying to prepare for a best practice, proactive approach toward data security and privacy.

But there’s much more at stake for the individual. For individuals, like you, me, and our kids, GDPR is a step toward “consent” based security and privacy measures, and at least here in the States, that has never been how technology was designed. Tech here has always been designed to gather as much data as possible from users, and while there are some protections, most people just accept that their data was and is used by corporations.

GDPR readiness is triggering people, both in the EU and here in the U.S., to really think about what their personal data is used for and that is the true scope of GDPR. Not that it is just an EU regulation, but that it is systematically getting people all over the world to think about data privacy and their rights to not be tracked at all times.

Which brings me back to consent.

Consent, in a data sense, would seem to center on me, or you, as individuals being permitted to grant consent to a company to utilize our data. And perhaps, more importantly, it would allow us to withdraw consent.

  • Hey Facebook, I withdraw my consent.
  • Hey Twitter, I grant you my consent.
  • Hey Netflix, I withdraw my consent.
  • Hey Google, I grant you my consent.
  • Hey Yahoo!, I withdraw my consent.
  • Hey Instagram, I grant you my consent.
  • Hey Experian, I withdraw my consent.
  • Hey McDonalds, I grant you my consent.
  • Hey [_____any company here_________], I withdraw my consent.

Now here is where it gets tricky. No major company that I am aware of has the systems in place to quickly, expeditiously, or even remotely to handle what I just did in those bullet points. Sure, their email newsletter has an “unsubscribe” link, but let’s face it, that’s not the same as going into a customer database and blowing out a record. It’s WAY more complicated than that.

Companies will need to produce a “meta” layer of data that tracks consent. They will need to have that layer control access to records based upon ongoing consent. Not “one-time” consent, but a new concept for most U.S. companies, which is ongoing consent. Further, when consent is withdrawn, the record must be removed. If consent is later granted, the record can’t be re-created or re-instantiated, it must start anew.

These types of changes will have huge ramifications for the next several years. Companies are not really ready for this level of consent control and don’t even get me started on “data minimization” strategies. They’re pretty freaking alien to everything data platforms have been built for.

Leave a Reply