Consent as a Service

GDPR: Data Subject Consent as a Service (DSCaaS), it’s Coming

In [X]aaS, The Outsource of Everything I made fun of the trend to “…as a Service.” everything under the sun, and that eventually we would run out of letters. Well, that happened years ago, so we’re now doubling and tripling up on the letters. Data Subject Consent as a Service (DSCaaS) is my latest attempt in a long line of failures to coin an acronym.

It’s every security professional’s dream.

And yes, Privacy Consent as a Service (PCaaS) would have been better, but that was taken by those damned Personal Computers!

Regardless of what it’s called, I believe the service is not only viable, it’s basically a necessity. 99% of organisations simply do not have the skill-sets, knowledge, or technical capability to manage the collection and management of consent. Especially in a fashion that has been vetted by privacy experts and kept up to date with EU-wide precedent.

Not that consent will be an organisation’s first choice for complying with GDPR. Legitimate Interest, contractual language, even binding corporate rules will likely be easier to maintain. But to get any of these to work requires each organisation to hire their own lawyers, and I’m fairly sure a lot of us would rather pay for a technology instead.

One of the first hurdles for any service like this is to explain to organisations that having yourselves the data is not your competitive edge. Making the best use of the data is. The only thing you should really care about is getting what you need out of the data, not what it took to get there, and definitely not where the data is. And let the experts worry about how to do that in line with the GDPR.

It’s like when I ask a room-full of merchants if credit cards are core to their business. 99% of them say yes, when it’s actually being paid that’s core to their business, not how they were paid.

So what does DSCaaS look like?

  1. First, it must clearly be a Cloud-based service with a seamless iFrame-esque integration with your organisation’s webpage. Where you would normally collect the personal information on your webpages, you would simply redirect this collection to a 3rd party provider;
    o
  2. Depending on the type of information collected and the reason for collection, very simple consent notices can be developed. For e-commerce for example, these consent notices can be pretty much boiler-plated into; payment authorisation, product/service updates, customer service, marketing, etc. For HR, these would be in-line with the individual employment contract and so on. This consent is now tracked by the DSCaaS provider;
    o
  3. The existing personal data previously collected by the organisation would be normalised/parsed and imported into the service in order to allow for the following:
    1. The removal of the vast majority personal data from an organisation’s systems (using tokenisation and APIs to link existing systems if required);
    2. tracking and collection of consent, plus renewal of consent where necessary;
    3. automated personal data removal/destruction based on data retention policies;
    4. online portal for data subject to change/erase data, or demand processing cessation;
    5. all data controller and processor contracts in place.
      o
  4. DSCaaS provider would need to be able to demonstrate ‘appropriate security measures’ through compliance with (and/or certification to) well-known standard like ISO 27001, ITIL, COBIT, NIST and so on;
    o
  5.  DSCaaS provider would have existing and robust relationships with supervisory bodies (ICO in the UK for example) to standardise reporting of processing (if required).

Clearly this is oversimplified, but if there’s one thing missing in all of these bandwagon ads for GDPR services it’s the spreading of the cost across multiple parties. Especially as it’s very likely that the millions of smaller organisation cannot afford privacy expertise on an individual basis.

The intent of the GDPR is a good one, and organisations have to understand that the data they are making so much money off does not belong to them. While I have no issue with them doing so – as long as I also benefit – I want complete control over what happens to it. The vast majority of organisations in the UK cannot even comply with the existing DPA, let alone one amended inline with the draft Data Protection Bill. For organisations to ‘comply’ with the intent of the GDPR, they will need help, and that help will not come from cybersecurity organisations, ‘certified’ GDPR practitioners, and not even privacy lawyers. It will come from organisations who combine all of these skills into a service where access to data is appropriately controlled.

Gone are the days when you could do whatever you wanted to profit from personal information. It’s what you do WITH the data that matters, and it’s almost always the best ideas that win out. We all need help doing that appropriately.

[If you liked this article, please share! Want more like it, subscribe!]