Sunday, January 28, 2018

GDPR’s “Last Mile” - Implementing the Compliant UI/UX

From an IT technicians point of view, those of us tasked with operationalizing GDPR's mandated transparency and consent requirements before the 25May2018 enforcement threshold face a formidable challenge.

While EU users and regulators will be able to evaluate our compliance with new GDPR rules by simply viewing any of our public-facing data ingestion screens, as IT staff (who craft and maintain those screens), we lack concrete requirements as to what actually needs to be changed and/or added at our existing user touchpoints to achieve and demonstrate compliance.

Experience tells us that IT implementations based upon ill-defined and amorphous specs often end poorly, yet the May deadline looms, and a strategy of inaction risks heavy sanctions as well as brand damage for the enterprise.

What to do?

For an answer, it is useful to step back and analyze the GDPR regulation holistically, and from the standpoint of the EU leaders who drafted and enacted it in 2016.  What were the overriding goals they sought to achieve through this legislation?  In terms of privacy protection for their EU citizen constituents, what are the most important long-term outcomes that will act to make this regulation an unqualified success for regulators and a privacy win for EU citizens?

First, look at the negative pronouncements in GDPR. The framers explicitly sought to eliminate the common practice of citizens giving up personal information without first being properly informed (see Article 12).   They explicitly sought to eliminate the reality of citizens left without effective and informed choice (Article 7).  And they sought to eliminate data controllers and processors acting without appropriate permission, leaving citizens with no control as their personal data was transferred to third parties and beyond (Rec. 32). 

On the positive side, they defined new standards for defining, obtaining,  and maintaining consent (Articles 4,6), they codified a number of new individual privacy rights for citizens, and they mandated that citizens be advised of those rights on a regular and fully visible basis (Articles 12-21).

There is a common thread running through each of these initiatives.  It is that these new GDPR mandates all imply a bidirectional conversation or “touchpoint dialogue” between enterprise and user.  No longer can an inscrutable privacy policy and a pre-ticked “I Agree” box serve as adequate permission for processing personal information.  No longer is personal information gathering “the sound of one hand clapping”.  Now the user has a seat at the table (figuratively speaking) and can/must participate as an active party in the PI exchange.

Returning to the question of what can IT do today as the compliance deadline approaches ... this writer believes that implementing a touchpoint dialogue structure at the enterprise’s public-facing personal data ingress contact points is a practical and essential initial step in implementing and demonstrating GDPR compliance.

Implementing such dialogue capability publicly demonstrates solid commitment to the spirit of the Regulation, while putting the framework into  place for expanding and optimizing the enterprise’s compliant UI/UX as guidance and codes of conduct become better defined over time.  It signals publicly that our enterprise cares about citizens’ privacy and is reaching out as a best practice to build user trust.

So what are the steps to implementing such a dialogue framework at my enterprise?  

One Solution is to build it internally.

A second solution is to employ purpose-built, commercially available software; then use included toolsets, templates, and generic models to tailor to enterprise’s specific operating environment.  If appropriate, a consultant may be employed to help with the tailoring.

A robust GDPR Consent Management solution will include live, fully developed generic implementation of compliant touchpoint transparency/notice support, an application programming interface (API) to facilitate integration with existing enterprise infrastructure, full Article 6 processing basis flexibility, comprehensive consent flow support, individual rights presentation and negotiation support, user dashboarding, administrative dashboarding, dialogue event logging and DPO/DPA accountability reporting.


PrivacyCheq has built comprehensive solutions for large and smaller enterprises.  Training, consulting, and LiveStart services, are available to facilitate rapid implementation.  A GDPR last mile live demo can answer many implementation team questions. 


Dale Smith, CIPT
Futurist
PrivacyCheq
drs@privacycheq.com

Friday, October 20, 2017

Five Realities Around GDPR

As the European Union’s General Data Protection Regulation (GDPR) enforcement date of 25May2018 approaches, a practical exercise for privacy pros and their implementation teams could be to begin thinking of the “R” in GDPR as standing for “Reality”, (as opposed to “Regulation”).  This writer offers the following thoughts and observations on some realities of operationalizing GDPR, as seen through a technical, “real world” lens.

First and foremost, the reality is that the GDPR is here to stay.  Consider that Recital 1, Sentence 1 of the GDPR reads: “The protection of natural persons in relation to the processing of personal data is a fundamental right.”   The EU government has set a high standard for citizens’ personal data protection, and it is EU law, today.  As a population, EU data subjects (users) now have the fundamental right to compliant data protection visually and continually wherever and whenever their personal information is moved or touched by enterprises (data controllers and processors).  The scope of protection extends to personal information activity involving desktops, laptops, tablets, smartphones, apps, wearables, IoT devices, apps, and in-person venues.

Since the GDPR became EU law 15 months ago, a great deal has been written and discussed about how the Regulation will affect large and small enterprises trading in Europe, yet very little attention has been given to exactly how operationalized GDPR will look and function when it daily serves real citizens in the real world.  As implementation teams and IT staffs prepare for actual GDPR “rubber-on-the-road” implementation, a Privacy by Design approach is helpful.

In concept, GDPR is all about enterprise and user engaging together to protect and manage user’s personal information responsibly, promoting positive-sum personal privacy and building mutual trust.  In practice, this activity will most often take the form of a proactive software-supported dialogue between the parties at each real-world encounter, or user touchpoint.  In real world operation, both enterprise and user need to participate in turn as clear details about policy and legal basis are presented, as appropriate consent is informed, negotiated, and gathered, and as individual user rights are proffered, and optionally exercised.

A practical, GDPR-compliant touchpoint dialogue will incorporate the following default functional elements:

·        Software infrastructure meeting the standards set forth within GDPR Article 12, to proactively present clear and plain language notice as the enterprise talks to the user in a dialogue explaining policy and options.

·        Software infrastructure meeting the standards set forth within Articles 5, 6, 7, 8, 13, 14, & 22 to disclose the legal basis for collection, then initiate and manage the negotiation and gathering of appropriate affirmative consent, affirmation of legitimate interest, etc., as the user responds to the enterprise, and opts accordingly.

·        Software infrastructure meeting the standards set forth within Articles 13, 14, 15, 16, 17, & 18 covering the disclosure and fulfillment of individual rights, as the enterprise proffers optional processing rights to the user, then acts accordingly, directed by user response.

·       Software infrastructure to log, track, and report discrete touchpoint dialogue events as they occur, supporting downstream user, DPO, and DPA dashboard reporting.

Prebuilt, prototype touchpoint dialogues and related installation toolsets are available today to facilitate privacy office and IT integration.  Click here to schedule a comprehensive, remote demo.

Another important risk-related reality concerns an enterprise’s exposure to GDPR compliance scrutiny and possible enforcement activity. Since a vast majority of enterprise landing page and data capture screens can be publicly accessed over the internet, any given enterprise’s dedication and commitment to GDPR compliance (and stewardship of user PI) can be quickly and easily assessed by regulators and users alike. A simple screen shot can provide instant documentation.


A final reality is that the European Union’s GDPR initiative has inspired transformative data protection activity beyond the bounds of Europe. A substantial number of countries around the globe appear to be planning and implementing privacy standards and laws patterned upon and congruent with the spirit of GDPR. The EU’s pending ePrivacy Regulation covering confidential communications will likely rely heavily on GDPR principles as a foundation. In this writer’s opinion, the privacy world is steadily moving towards a GDPR privacy standard. Now is the time for privacy pros, GDPR implementation teams, and IT staff to focus on real-world implementation.

Dale Smith, CIPT
Futurist
PrivacyCheq
drs@privacycheq.com

Wednesday, September 20, 2017

Bringing GDPR Home – What does GDPR compliance actually look like?

Since the GDPR became EU law in early 2016, a great deal has been written and discussed about how the Regulation will affect large and small enterprises trading in Europe. By contrast, very little attention has been given to exactly how operationalized GDPR will look and function when it daily serves real citizens in the real world. With the countdown clock ticking steadily towards 25May2018 (a.k.a. showtime), here are some festering key questions that need answering:

Question #1: What are the essential hallmarks of enterprise GDPR compliance that regulators will expect to be in place? At the user interface, will anything need to be changed at all?

Enterprises will be expected by EU citizens to have done something (not nothing). Consider that Recital 1, Sentence 1 of the GDPR reads: “The protection of natural persons in relation to the processing of personal data is a fundamental right.” Clearly, the EU government has set a high standard for citizens’ personal data protection, and it is the law, today. As a population, EU users now have the fundamental right to compliant data protection visually and continually on desktops, laptops, tablets, smartphones, apps, venues, etc. … wherever and whenever their personal information is moved or accessed.

Takeaway: Enterprises ignoring this fundamental right can expect negative attention from both consumers and regulators sooner rather than later.

So … “something” needs to be done … yet no detailed specification for compliance is available (and is not likely to emerge anytime soon). What could “something” be? Is there an answer to this conundrum?

Yes, there is an answer … and it’s a good one: Looked at holistically, and from a Privacy by Design perspective, GDPR defines a strong, solid, fundamental requirement. Very simply, at the touchpoint where personal information is gathered from a user under GDPR, it needs to flow through a dialogue between the user and the enterprise. This mandate is a unique hallmark of GDPR. The old “Post and Hope” model no longer complies.

Under GDPR, both enterprise and user need to participate in turn as transparent notice covering legal basis and policy are displayed, as appropriate consent is informed, negotiated, and gathered, and as individual rights are presented and optionally exercised. In concept, GDPR is all about enterprise and user working together in a touchpoint dialogue to protect personal privacy and build mutual trust.

Takeaway: A touchpoint dialogue meeting these fundamental requirements is not only “something”, it’s a spot-on solution congruent with the spirit of the GDPR Regulation. If/when implemented, it can go a long way towards pleasing both user and regulators.

Question #2: As implemented in the real world, what does such a touchpoint dialogue actually look like?

To visualize it, here’s a working ConsentCheq sample of what a web page data collection dialogue might look like for a fictitious movie website. The sample is operational. Put on your user hat and role play with it. Got notice? Got consent? Got rights? Minimize friction while meeting mandated compliance? Meet DPO/DPA expectations? What’s missing? What’s dispensable? Privacy pro’s comments and suggestions for improvement are welcomed. Email: drs@privacycheq.com

Takeaway: At PrivacyCheq, all essential components of GDPR touchpoint dialogues are available today, configured as operational prototypes for specific lines of business and delivery models. Enterprises can quickly leverage these consent management libraries (and associated toolsets) to bring GDPR home with a minimum of disruption, user friction, and re-engineering of current IT procedures.

Question #3: What is a practical set of steps for GDPR-exposed enterprises to take right now to avoid negative attention from EU regulators as enforcement approaches?

1. Decide to do something. Avoid doing nothing.

2. Form a team; focus on what the team believes is most important.

3. If there is no team, or if the team can’t focus, consider employing a “straw” touchpoint dialogue design (pre-built, generic for your industry and business model).

4. Schedule a day to show it to the team.  Perhaps invite your consultant if you have one.

5. Mind the gap. How closely does the generic dialogue fit your specific needs? What looks good and, what won’t do? Weigh the strengths and weaknesses. What is inappropriate? What just requires cosmetic adjustment?

6. Using the toolset, progressively modify and adapt the straw dialogue, morphing in actual corporate policy, actual IT interface connectivity, and ongoing operational infrastructure. Optionally, you may employ a consultant to help with this.

7. Lead the team in evaluating the result against reality. Rinse and repeat.

8. Let the team weigh the result against starting with a “clean sheet” (we'll write this code internally).

9. Execute on a plan. Either way, the team is now focused, a set of real-world requirements are in hand, and future steps are now defined. And you’ve already done something.

Takeaway: PrivacyCheq's consent management solutions (ConsentCheq for larger enterprises and ConsentIQ for SMEs) are Privacy-by-Designed to kickstart your GDPR operationalizing effort.  Request a demo here.

Dale R. Smith, CIPT
Futurist
PrivacyCheq
drs@privacycheq.com