GDPR Consent Requirements

Your Tactical Guide to Compliance with GDPR Consent Requirements

GDPR is bringing a long-awaited standard regulatory approach to user data privacy and control in the EU. Global companies are paying close attention since the GDPR applies to any company collecting data on residents in the EU regardless of where the company is located. With the current initiative of the e-Privacy Directive Working Group, the privacy industry is analyzing how these heightened requirements will play out and complement the existing user data privacy and control regulations which broaden scope and address data collection points outside of digital tracking technologies.

GDPR codifies an increased level of protection and control for the user by expanding the consumers’ rights:

  • Consumers may access their data (Article 15[1]).
  • Consumers may request information on where and when their data is processed (Article 15).
  • Consumers may request a digital copy of their data and transfer that data to another data controller in a relatively seamless manner (Article 18[2]).
  • Consumers may request erasure of their data and receive confirmation of the erasure (Article 16[3] & 17[4]).
  • In addition, the data subjects’ consent must be freely-given, specific and informed…either by a statement or by a clear affirmative action, signifying agreement to processing their personal data (Article 7[5]).
    • “Personal data” is defined as “any information relating to an identified or identifiable natural person. Under GDPR, “personal data” profiling is further expanded for example, to biometric data and other unique persistent identifiers that were ambiguous before such as IDFA and GAID. (Article 4[6]).

Although the deadline of May 28th, 2018 feels far away, the schedule to come into compliance with the new GDPR consent requirements is tight. Reference guided timeline below.

Screen Shot 2016-08-12 at 12.27.39 PM

  1. Scope Definition: A company must first determine scope of the internal consent initiative in order to make strategic resource calculations.
  2. In-House Build or Vendor Selection: A company then makes a business decision on whether to build the consent solution in-house or select a consent vendor. Selecting the right consent vendor could take some time depending on internal organization procurement procedures.
  3. Scope Definition continues: The company kicks off the project by identifying data collection points and analyze where the consent integrations have to be completed. TRUSTe has a Data Discovery system with PII/SPII detection technology for digital properties to help companies automate this process.
  4. Project Design: Often, consumer-facing touch points involve legal, marketing, and engineering stakeholder approvals.
  5. Project Implementation: Once scope and design deliverables are approved, the engineering team needs to bake the consent integration into internal sprint release cycles.

TRUSTe is evaluating the GDPR consent requirements in order to evolve our existing consent solutions and help companies achieve compliance by the May 28th, 2018 deadline. Working with TRUSTe provides all our resources and guidance within a hand’s reach:

  • A software technology that helps companies come into compliance with the notice, consent, and audit requirements of GDPR.
  • A software technology that works on desktop and mobile devices. Not only is TRUSTe’s consent notice mobile-optimized, TRUSTe’s solution is tracking technology agnostic and can save consent with ID’s and/or emails.
  • A dedicated Technical Account Management team to facilitate implementation and provide post support maintenance.
  • A customer-facing portal to manage user consent choices at any point in the data collection and sharing process.
  • A client-facing portal to analyze consent metrics and maintain a database of informed consent for regulatory audits. The data can be exported and manipulated for custom reporting metrics.

Contact TRUSTe to learn more and participate in our GDPR Consent Program.

[1] http://www.privacy-regulation.eu/en/15.htm
[2] http://www.privacy-regulation.eu/en/18.htm
[3] http://www.privacy-regulation.eu/en/16.htm
[4] http://www.privacy-regulation.eu/en/17.htm
[5] http://www.privacy-regulation.eu/en/7.htm
[6] http://www.privacy-regulation.eu/en/4.htm