With the proliferation of massive security breaches like Panera Bread and many others in 2018, new data privacy regulations like the GDPR are being enforced to protect individuals’ personal data. As awareness of these breaches rises, loss of individual trust is tied directly to customer sentiment, which, in turn, impacts revenue.
In this post, we will take a closer look at how to collect consent from users in compliance with the GDPR, walk through collecting consent through a calendar application as an example, and see how Okta’s suite of products helps with compliance.
What does GDPR mean for my organization?
At a high level, the General Data Protection Regulation (GDPR) gives European Union individuals access to and control over their personal data. This can manifest itself in a variety of methods, from giving an individual the ability to view what kind of personal data is collected about them by organizations, to requesting the erasure of personal data.
In the age of enhanced privacy regulations and hefty fines, Marketing, Security, and IT teams must pay close attention to their approach to compliance.
Collecting consent in customer apps
Consent is one option that companies may choose to use as a legal basis to collect and use personal data. One scenario for which companies may choose to collect consent is for the registration of a mobile calendar application. The GDPR places strict rules regarding how consent can be granted, which can work in tandem with other data privacy regulations such as the UK Privacy and Electronic Communications Regulations.
Let’s go through a sample registration to show how Okta helps with consent management.
In a registration flow, a business is not only collecting attributes like name and email, but also business requirements that are pushed to IT administrators. Those business requirements might define collecting consent for marketing email updates as shown above.
Assuming that a company is using consent as a basis by which to collect personal data and to use it for marketing purposes, when an individual opts in to email updates, the form collects the given consent as an attribute from the individual to allow for email marketing and to track which individuals have consented, in line with data privacy regulations.
It is important to note that the GDPR and other upcoming privacy regulations place restrictions on how consent flows can be designed. For example, the check-box for any marketing communications cannot be pre-checked. If you use consent for marketing communications, you cannot require the user to consent to marketing communications.
Storing Consent as an Attribute
If you choose to obtain consent, then Okta can store consent as an attribute within Universal Directory. Okta’s Universal Directory can store all of these responses as attributes, including consent to terms of service as shown in the figure below.
By storing consent as an attribute, organizations can show consent mapped to a specific user, providing context to the date and time consent was granted. Article 6 of the GDPR lays out the situations, or legal bases, that allow companies to process personal data.
Consent is a very complex topic. Consent requirements are unique and vary from company-to-company and situation-to-situation, so you will want to involve your legal and privacy teams in your design phase to ensure you identify when consent is needed and how to phrase your consents to make sure they are valid before beginning development.
The GDPR is far more complex than just consent use cases. Requirements like the right to be forgotten, data breach notifications, and access to personal data are just the tip of the iceberg when it comes to complying with the GDPR. To read more on how you can use Okta to help you manage consent as well as other requirements of the GDPR, read our whitepaper, Starting your GDPR Journey with Okta.
Disclaimer: while this blog post discusses certain legal topics, it does not constitute legal advice and is provided for informational purposes only. If you or your organization needs legal advice, please consult an attorney.