GDPR and explicit consent: challenges and opportunities

Alan Goode|24 October 2017
GDPR and explicit consent: challenges and opportunities

Consent is a core part of data protection legislation. The European Union’s General Data Protection Regulation (GDPR) comes into effect from 25 May 2018 and aims to provide clarity on the previously contentious issue of obtaining an individual’s consent in order to process their personal information. With this, the EU aims to give control of personal data back to its citizens – data subjects in GDPR parlance – and to simplify the regulatory environment for organizations (defined as data controllers and data processors) inside and outside of the EU.

The definition of consent at Article 4 (11) of the GDPR states that “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative actions, signifies agreement to the processing of personal data relating to him or her”.

Louder than words

Article 4 (11) of the GDPR demands a positive indication of agreement (“a statement or clear affirmative action”) by the data subject to their personal data being processed. This is important in that there has to be an action by the data subject – not just consent implied by silence or pre-ticked boxes – before the data can be processed. There must also be an “unambiguous indication of the data subject’s wishes”, meaning that the data controller or processor must be able to demonstrate that the data subject has consented to the processing of the data.

The need for explicit consent for processing of personal data is challenging for data controllers and processors in a number of ways; some of which are not immediately obvious. For instance, the GDPR states that data subjects must explicitly consent to device fingerprinting. Device fingerprinting is information that is collected from a device for the purpose of user identification and background detection of fraud. Without explicit consent, this could be classified as a violation of user privacy, as personally identifiable information is being extracted without permission from the owner’s device, even though it may be obtained for a positive reason.

Raising the standard

To ensure that organizations are compliant with the consent aspects of the GDPR, they must ensure that their technology suppliers have built-in compliance. Entersekt’s security solutions ensure that organizations are compliant with GDPR in a number of scenarios, including providing a low-friction user authentication experience and supporting explicit consent for device fingerprinting. With the emergence of open banking, its adoption greatly accelerated by the arrival of the second Payment Services Directive (PSD2), banks will see an increase in the number of interactions, coming from a variety of new sources, it has from consumers. It is therefore imperative that banks adopt authentication technology that supports a simple, fast mechanism for gaining consent that can be received from a variety of sources.

The Entersekt Transakt product offers low-friction user authentication and allows the use of device- and app-based contextual data to aid organizations in registering users and making risk assessments. It supports the customer in providing consent to allow personal and device information to be collected by the service provider.

Time to comply

In just over six months, all organizations within the EU and those organizations doing business with EU citizens must conform to the GDPR. The GDPR’s statements on explicit consent provide organizations with clarity on how to manage the collection of their customers’ personal data. Organizations must ensure that their technology partners and suppliers understand their obligations for the consent aspects of the GDPR.

Entersekt provides advice to its customers on the terms of GDPR and how to ensure compliance with the consent aspects of the data protection legislation. They advise clients that consent statements be included when asking for additional permissions. An example of such a statement would be: “We want to track your location to be able to register you via the mobile phone; otherwise you will have to go and register inside the bank branch. Do you agree?”

Transakt enables explicit consent with a real-time, low-friction user experience where all user responses are digitally signed. This supports the GDPR’s requirement for “unambiguous indication of the data subject’s wishes”, which means any future disputes can be quickly resolved.

Want more perspectives? Read previous blog posts by our SVP partnerships and alliances, Dewald Nolte, and our SVP Products, Niel Bester.

 

About the author

Alan Goode

Alan Goode

CEO and Chief Analyst Goode Intelligence

Subscribe to our newsletter for our latest news, press releases and events

logo entersekt

Entersekt is an international software development company based just outside of Cape Town, South Africa.

We are leaders in authentication, app security, and payments enablement technology, offering a highly scalable solution set with a track record of success across multiple continents.