New GDPR feature for proper data protection methods implementation.
Identity management and governance solutions are evolving. Today’s IDM systems often manage information not only about employees or contractors, but also about customers, citizens or even social network users. The organizations often deal with the information about people with whom they do not necessarily have any strong legal contract. Processing such information was mostly determined by “terms of service” statements and weak legislation, therefore poor processing methods were often tolerated. That is about to change when General Data Protection Regulation (GDPR) becomes enforceable.
GDPR addresses various aspects of data processing, which includes the way how users consent to processing of their data. According to GDPR, there must be a lawful basis for data processing in a form of an employee contract, business contract or other legitimate interest. However, there are some user classes with no such basis and the only option allowing data processing is an explicit consent of the users.
The regulation is quite strict about the way how consent is acquired and managed. It cannot be bundled within “terms of service” or similar agreements. The user must be clearly informed about to whom and for what the consent is given. The consent must always be explicit as well as revocable and this process must be as easy as acquisition of consent. If the consent is revoked and there is no other legal basis for data processing, it must stop immediately. And last but not least, organizations already having consent to process data need a new one after May the 25th 2018, as the existing consent is no longer acceptable.
Unfortunately, current IT applications are not designed with proper data processing methods in mind, as many of them don’t understand the concept of consent. They lack management of consent and also an easy way how to display given consent, revoke it or even manage overlapping consents with different validity or for different scopes of processing. This may easily lead to a poor user experience and in fact it may also violate the regulation.
Fortunately, there is a convenient solution which actually has been existing for years: identity management and governance. The IDM systems can already reach to all the crucial applications and manage identity data and that is exactly what is necessary for proper data protection methods implementation. All that is needed is a modification of the existing approach to provide proper user interfaces and additional mechanisms.
Solution: consent management
To help organizations also with GDPR, we propose a new consent management functionality for midPoint. It will be provided to end users (e.g. customers) as well as Data Protection Officers (DPOs):
- DPOs will be able to set up data protection scopes that specify purpose and scope of intended data processing. MidPoint will maintain the record of user consents to the data protection scopes for later review.
- End users will be able to see the list of all the consents which they have given. All the details will be displayed: when the consent was given, to what the user consented, to whom was the consent given, the consent scope and so on.
- End users will be able to revoke the consent. Consent revocation will automatically trigger deprovisioning of user data – unless there is another lawful basis that justifies continued data processing.
- Overlapping consents will be properly managed. For example midPoint can manage pre-GDPR consents that automatically expired on 25 May 2018, continuing processing of data only for those users where the GDPR-compliant consent was re-acquired.
- DPOs can review active consents and other lawful bases for any user.
- User consent processing will be compatible with processing of other lawful bases and legitimate interests. Consent can seamlessly overlap with other lawful bases. MidPoint will compute the resulting data management scope and carry out all necessary identity data modifications.
From the user perspective, the consent management will be available in two variants based on the intended audience. The end users will be presented with intuitive user interface to manage their consents easily, as it will clearly present the required information. This will be a brand-new part of midPoint end-user self-service user interface.
The data protection officer will will dispose with full midPoint administration user interface extended with new views intended especially for DPOs. These will show the consent given by individual users. When support for other lawful bases is also implemented, those two screens will be integrated into a single unified view. The information will be presented in a compact and customizable way, so the specific presentation can be tuned to exact requirements allowing efficient execution of DPO duties.
Consent management and GDPR in general will affect not only organizations with Europe, but all around the world. Help us to extend midPoint by giving this project your votes and midPoint will help you back!
If you have any questions about this feature, please do not hesitate to contact us .