Consent Management for General Data Privacy Regulations
Blog: Capgemini CTO Blog
Today the industry is agog with the topic of General Data Privacy Regulations (GDPR) and various organizations are trying to find the best way to address the data subject rights in their existing landscape. One of the most important areas of the GDPR is around data subject consent rights and their propagation/ management in the business landscape. Consulting organizations, software vendors and system integrators enter into this fray with their own view of how this can be achieved.
Capture & Manage Consent: In the current scenario, there are two camps with opinions on how consent should be captured, managed and propagated among software vendors/ integrators.
Given that we are more and more a digitally enabled world we see Identity Access Management (IAM) vendors (iWelcome, ForgeRock & Protegrity) take the approach of allowing data subjects to provide & manage their consent at the access level and have extended the IAM data model to capture the various consent.
The other camp are vendors who have been entrenched into the data management space and have mature Master Data Management (MDM) products. All the major vendors (Informatica, IBM, Oracle) in this space have built, or are building, accelerators and/ or enhanced their customer data model to capture consent along with the data subject personal attributes.
However, in both approaches, the question of how consent for data subjects interacting with the organizations in a non-digital mode are captured & managed remains process issue. Today most organizations are already modifying their processes to accommodate such interactions. There is also the question of how the proof of consent, or modification, provided by the data subject (which could be in a paper or email form) is captured, maintained and most importantly referenced to the consent. In this respect, a few of the MDM software vendors have built in some rudimentary forms of process management and Digital Asset Management (DAM) into their products – this to some extent does alienate the requirement for this capability.
Propagating & Enabling Consent in the Application Landscape: While the capture and management of the data subjects consent can be enabled through either an IAM or MDM approach, the aspect of propagating & enabling this consent to the organizations’ application landscape is a more challenging. This is primarily due to the complexity of integrating into the consuming applications and enabling the anonymization and/or pseudonymisation based on the data subjects consent.
The IAM vendors approach this by enabling through API’s which can be called by the source applications. Another approach taken by IAM vendors is to store the data subject’s personal data into a data vault and tokenization the same. Consent rights are then managed by passing application requests through these tokens. While this approach does work, integration complexity and performance overheads need to be considered and evaluated.
With the MDM vendors, this integration is slightly simpler. As with the implementation of business rules in any MDM scenario, the rules engine of the MDM Hub is used to determine the consent of the data subject attribute for the requested processing and then invoke a data masking software to dynamically anonymize or pseudonymize the data. In fact, it is now even possible to integrate a Data Governance software (such as AXON or Collibra) to the MDM Hub and enable the governance policies to be enforced on the data subject’s information.
Conclusion: There is clearly no one size fits all. Yes, in a growing digital world the IAM approach seems logical given that most access of data by subjects will be through identity management. Also, IAM software are becoming more capable with their data models extended not just to capture user access credentials & consent but also other attributes. At the same time, how this encroachment into the traditional data management software space will be viewed by the traditional MDM vendors will be viewed or responded to is a matter of debate.
In my view, we are yet again witnessing cycle where different technologies overlap in capabilities and sooner or later there will be a convergence, as happened in the networking space. However, it is clearly a question of wait and watch and for the moment up to organisations to evaluate the best fit for their requirements and environment.