ABSTRACT: GDPR COMPLIANCE
The EU GDPR regulation, which will be enforced on 25 May 2018, revolutionizes the data privacy landscape in Europe. GPDR gives individuals greater control and transparency over their personal data and raises the bar for businesses to achieve lawful processing of personal information. Achieving GDPR compliance will require more than technical solutions, as it will be necessary for business to strategically shift their data focus to recognize individual rights. However, this whitepaper outlines how, using the Trunomi platform, businesses can simply and quickly solve eleven key articles of the incoming regulation, avoid heavy fines and sanctions as well as empowering customers with enhanced, personalized services.
The EU GDPR regulation, which will be enforced from 25 May 2018, revolutionizes the data privacy landscape in Europe. GPDR gives individuals greater control and transparency over their personal data and raises the bar for businesses to achieve lawful processing of personal information. GDPR compliance will require more than technical solutions, as it will be necessary for business to change their mindset and culture to one that recognizes the primacy of an individual’s rights over their data. This whitepaper outlines how, using the Trunomi platform, businesses can simply and quickly solve eleven key articles of the incoming regulation, avoid heavy fines and sanctions as well as empowering customers with enhanced, personalized services.
Trunomi is an indispensable partner in the development of a solution for GDPR compliance because it enables a business to have a dynamic and transparent data relationship with individual customers. It empowers customers to control how their data is processed, allows business systems to have a real-time knowledge of data rights to determine if lawful processing is possible and equips the business’ Data Protection Officer (DPO) with tools to monitor and deliver on a business’s privacy promises and obligations.
Article 24: Responsibility of the controller to demonstrate compliance
GDPR places a higher burden on businesses to demonstrate compliance (relative to previous privacy related Directives). “The controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation” (Article 24). Importantly, supervisory authorities are required to consider both the organizational and technological measures that have been implemented (Article 83) when determining the severity of non-compliance fines.
Trunomi is designed to demonstrate compliance with key elements of the GDPR legislation. The audit-ready TruCertTM is a receipt for all consent interactions and data subject request interactions. The TruCertTM can also be used to record, at an individual level, non-consent grounds for processing data such as legitimate interest, ensuring that accidental processing does not occur. TruCertTMs can be accessed via the Ledger/Notary API or directly by the customer through the “Data Rights” widget, which is included in the page.
Each TruCertTM is a digital certificate signed by Trunomi’s private key using an RSA algorithm. This allows an immutable token to be created as a record of the consent and data rights interaction.
Trunomi analytics, available through the Enterprise Portal, can also be used to demonstrate the lawful basis of processing across the business and KPIs in delivering upon data subject requests.
Article 4, 7, 8: Articles relating to consent
Higher standards of consent are required by GDPR. Article 4(11) specifies a consent must be active, represent affirmative action, present genuine choice and be time limited. Separate consents must be obtained for different processing activities or purposes. Forced or omnibus consent mechanisms will not be valid. Data subjects must have the right to revoke their consent at any time (Article 7(3)) and it must be as simple to withdraw consent as it is to give it. In practice, at a minimum, this is likely to require organisations to allow consent to be withdrawn through the same media.
Gathering a separate consent for each purpose, whilst imposing a minimal imposition on the customer and ensuring high opt-in rates is a business-critical task. Success will be critical to a business’s ability to harness data to drive superior customer outcomes and experiences. Trunomi allows businesses to transform “consent” from a static, monolithic setting, towards dynamic, contextual customer interactions. The goal is to seek the right consent from each individual, at the right time and context.
Consent request widgets are integrated using java script tags into web applications. They can be triggered by context or using 1:1 targeting lists which are uploaded through a provisioning process and accessed via the Context API. The actual consent widgets can appear inline or as an overlay (mounted in the page as a DIV or iframe). By using Trunomi widgets, the DPO can ensure the consent notices are standardised across multiple touch points and the interaction will satisfy requirements for “clear” presentation. By the end of 2017, the DPO will also be able to control the notice provided to the customer via the Trunomi Enterprise Portal, ensuring full control and minimising the chance of errors.
When Trunomi certifies a consent that has been requested via a Trunomi widget, it can confirm the exact notice that was presented to the customer within the TruCert consent receipt. Trunomi then transforms the consent into machine readable data rights that can be accessed by business systems and platforms, via the Rights API, to check whether lawful processing is possible. Trunomi also calculates the durational (time limits) elements of a consent and expire the “data rights” at the appropriate time.
Article 6: Lawfulness of Processing
Article 6 establishes that the right to process personal data must be lawful and establishes six categories of lawfulness. “Consent to the processing … for one or more specific purposes” is given primacy, but other lawful bases include:
The enterprise must be explicitly clear of the lawful basis of all personal data processing.
The lawful ability to process data is known as data rights within the Trunomi platform. Beyond explicit consent management, Trunomi also allows other lawful bases for processing to be notarised, at an individual level, and updated as circumstances evolve. This is achieved by populating the MOC (Method of Collection) and Justification fields when invoking the API. For example, when a data subject enters a new service agreement, the business can notarise an array of data processing that will occur to achieve contract performance. Once the service is closed, the array of rights associated with the contract can be withdrawn. Trunomi’s RESTful APIs allow real time access to up-to-date data rights which means business systems and platforms can very easily access the “data rights” to process data.
Article 9: Processing of special categories of personal data
The GDPR has added protection for special, sensitive categories of personal data. Article 9 states “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited…(except where) the data subject has given explicit consent to the processing of those personal data for one of more specified purposes.
Trunomi enables express consent to be used to lawfully capture and process this sensitive data. Also, the consent & associated data types can be labelled as sensitive and thereby excluded from specific processing.
Article 15, 16, 17, 21: Right of Access, Rectification, Erasure, & Object
The enhanced data subject rights give individuals the ability to review the accuracy of the data held by data controllers. A data subject has the right to request access to both the personal data and information on processing, recipients, and data transfers (Article 15).
Should inaccurate personal data about a data subject be held by the data controller, the data subject has the right to supply the correct information and request rectification (Article 16). The inaccurate information should be updated “without undue delay.”
A data subject can also request erasure of his or her personal data via ‘the right to be forgotten’ (Article 17), subject to certain conditions, such as compliance with a legal obligation, public interest for public health, and legal claims.
A data subject has the right to object (Article 21) to processing based legitimate interest grounds or necessary for a public interest task. The controller must then cease processing of the personal data and the burden falls to the controller to prove why it should be able to process the personal data.
Trunomi provides several tools to assist the Data Protection Officer to manage data subject rights and achieve GDPR compliance. In particular, Trunomi aims to assist in the customer, DPO and back-end system messaging associated with such requests. The tools include: specific data subject request widgets for embedding in web apps to provide a customer interface to lodge and review requests. Review and status monitoring within the DPO Enterprise portal and a message event service (launching in August 2017) that can pass data subject requests to backend systems.
All requests and interactions are notarised in the TruCertTM digital certificates so the Business can demonstrate to regulators and customers the interactions that have taken place.
Trunomi also gives businesses the ability to act as the system of record for data location, but it is the Business’s responsibility to embed this data into API calls and act on the detail.
Importantly, Trunomi isn’t a privacy case management software application. If this deep level of functionality is required then additional technical suppliers will be required. Integration costs can be quoted upon request.
There will be four levels to support GDPR compliance: Request, Triage, Action, and Delivered.
Businesses have two options for managing and recording data subject requests. They can create a website / app section that allows the customer to digitally lodge these requests on a universal basis or when referencing an individual data type that is processed by the business. The front-end can either be rendered independently or a series of Trunomi widgets (My Data, Data Subject Requests, My Requests) can be embedded into secure web pages to manage elements of the customer communication. Four types of requests are possible: Access, Erase, Rectify or Object. The Object functionality can also be used to achieve the Right to Restriction of Processing described in Article 18.
During the provisioning process, Businesses can configure whether a request should undergo triage review or automatic processing according to the request type, the reason provided by customer or the data type. The DPO will view all the requests requiring triage within the Trunomi Enterprise Portal. Once further review of the request has taken place (outside of Trunomi platform) then the DPO can change the request status to “reject” or “accept”. “Accept” decision will initiate the “Actioning” phase. During this phase, Customers can see request status e.g. “Reviewing” in the relevant widgets and an explanation of the process.
During the “Actioning” phase, a message shall be passed from the Trunomi Event Service (which launches August 2017) to the Businesses back end system, such as an ESB or message queue, informing it of the customer request that must be actioned. From this point, it is the Business’ responsibility to enforce the request across the myriad platforms containing personal information.
Businesses also have the option to use Trunomi to inform their back-end system of the location of data types affected by the customer request. This can be achieved if the Business has inserted opaque data location information and pointers into API interactions with Trunomi. The DPO will receive visual notification in the Enterprise Portal if delivery of a request is taking too long (against configurable SLAs). The ability to inform the customer of the late delivery of a request can be delivered by widgets and provide an explanation of the delay.
Once the Business has completed the data subject request, the Business’ systems should provide a message to the Trunomi Event System informing it of completion. Manual updates are also possible. The status of the request will subsequently update within the Enterprise Portal and the MyRequests widget.
Access requests must be compiled and delivered to the customer, outside of Trunomi, to minimise personal data disclosures and enhanced risks. But it is possible to notarise the delivery of download links and erasure notices, as well as the actual data download, using the Notary API.
Article 20: Data Portability
The right to data portability (Article 20) allows a data subject to request the personal data they’ve supplied to a controller be shared with another data controller in “a structured, commonly used and machine-readable format”.
Trunomi currently caters for the consent associated with data sharing to be captured in a certificate, but it is the Business’s responsibility to share the consent data with the recipient and deliver the underlying data. Trunomi is investigating the use of User Managed Access (UMA) standard to cater for data sharing requests from arbitrary third parties and is willing to partner with companies to undertake trials in the second half of 2017.
GDPR compliance will often require large changes to business processes, customer interactions and technical platforms. Whilst there could be a temptation to attempt compliance by tinkering with existing platforms, achieving a wholesale improvement to managing customer data rights at an individual level across the business will generally require a new platform. Indeed, businesses operating in the EU are given the mandate by GDPR to ensure their data protection efforts are achieved “with due regards to the state of the art” and as such they should carefully consider whether truly empowering individuals requires the use of a consent and data rights platform like Trunomi.
© 2017 Trunomi Ltd.
All Rights Reserved.
Disclaimer: The law stated in this document is correct as of 26/05/2017 however this does in no way constitute legal advice. Any person who intends to rely upon or use the information contained herein in any way is solely responsible for independently verifying the information and obtaining independent expert advice if required.