Sunday, January 28, 2018

GDPR’s “Last Mile” - Implementing the Compliant UI/UX

From an IT technicians point of view, those of us tasked with operationalizing GDPR's mandated transparency and consent requirements before the 25May2018 enforcement threshold face a formidable challenge.

While EU users and regulators will be able to evaluate our compliance with new GDPR rules by simply viewing any of our public-facing data ingestion screens, as IT staff (who craft and maintain those screens), we lack concrete requirements as to what actually needs to be changed and/or added at our existing user touchpoints to achieve and demonstrate compliance.

Experience tells us that IT implementations based upon ill-defined and amorphous specs often end poorly, yet the May deadline looms, and a strategy of inaction risks heavy sanctions as well as brand damage for the enterprise.

What to do?

For an answer, it is useful to step back and analyze the GDPR regulation holistically, and from the standpoint of the EU leaders who drafted and enacted it in 2016.  What were the overriding goals they sought to achieve through this legislation?  In terms of privacy protection for their EU citizen constituents, what are the most important long-term outcomes that will act to make this regulation an unqualified success for regulators and a privacy win for EU citizens?

First, look at the negative pronouncements in GDPR. The framers explicitly sought to eliminate the common practice of citizens giving up personal information without first being properly informed (see Article 12).   They explicitly sought to eliminate the reality of citizens left without effective and informed choice (Article 7).  And they sought to eliminate data controllers and processors acting without appropriate permission, leaving citizens with no control as their personal data was transferred to third parties and beyond (Rec. 32). 

On the positive side, they defined new standards for defining, obtaining,  and maintaining consent (Articles 4,6), they codified a number of new individual privacy rights for citizens, and they mandated that citizens be advised of those rights on a regular and fully visible basis (Articles 12-21).

There is a common thread running through each of these initiatives.  It is that these new GDPR mandates all imply a bidirectional conversation or “touchpoint dialogue” between enterprise and user.  No longer can an inscrutable privacy policy and a pre-ticked “I Agree” box serve as adequate permission for processing personal information.  No longer is personal information gathering “the sound of one hand clapping”.  Now the user has a seat at the table (figuratively speaking) and can/must participate as an active party in the PI exchange.

Returning to the question of what can IT do today as the compliance deadline approaches ... this writer believes that implementing a touchpoint dialogue structure at the enterprise’s public-facing personal data ingress contact points is a practical and essential initial step in implementing and demonstrating GDPR compliance.

Implementing such dialogue capability publicly demonstrates solid commitment to the spirit of the Regulation, while putting the framework into  place for expanding and optimizing the enterprise’s compliant UI/UX as guidance and codes of conduct become better defined over time.  It signals publicly that our enterprise cares about citizens’ privacy and is reaching out as a best practice to build user trust.

So what are the steps to implementing such a dialogue framework at my enterprise?  

One Solution is to build it internally.

A second solution is to employ purpose-built, commercially available software; then use included toolsets, templates, and generic models to tailor to enterprise’s specific operating environment.  If appropriate, a consultant may be employed to help with the tailoring.

A robust GDPR Consent Management solution will include live, fully developed generic implementation of compliant touchpoint transparency/notice support, an application programming interface (API) to facilitate integration with existing enterprise infrastructure, full Article 6 processing basis flexibility, comprehensive consent flow support, individual rights presentation and negotiation support, user dashboarding, administrative dashboarding, dialogue event logging and DPO/DPA accountability reporting.

PrivacyCheq has built comprehensive solutions for large and smaller enterprises.  Training, consulting, and LiveStart services, are available to facilitate rapid implementation.  A GDPR last mile live demo can answer many implementation team questions. 

Dale Smith, CIPT