Assault, Slavery, Rape, and GDPR violations!
It all comes down to one thing: CONSENT.
It’s important to consent before having sex, else it’s considered rape…
It’s important to consent before a surgery, else it’s considered assault…
It’s important to consent before taking a job, else it’s considered slavery…
And now…it’s important to consent before sharing or storing personal data of an EU citizen, else you are violating the GDPR…
What is GDPR? It stands for “General Data Protection Regulation” and it is a data protection law, effectively enforced from May 25th 2018 onwards, that protects the data of EU citizens.
That’s the formal definition of it, which you probably wouldn’t want to read. What it really does, is protect all your personal shit on Facebook from being shared, stored, and abused by advertisers and politicians without your approval. Yes, I just smoothly cliche-referenced the Facebook Cambridge Analytica scandal
However, the bottom line is, it protects us. The concept of “consent” protects us, and without it, we would all be exploited and taken advantage of.
Some basic rules of consent
When adjusting your software applications or systems to collect consent in a GDPR compliant manner, a few basic rules apply.
- Granting consent for one thing doesn’t automatically grant consent for something else.
Consent to kiss, does not automatically also mean you consented to do the dirty. Similarly, just because a user consented to let you store their contact info, does not mean that the user also automatically consented to share that contact info with a third-party application. Certain things, such as information about health, ethnicity, etc., require explicit consent.
- Consent can be withdrawn at any time.
If a user consented to something previously, and then changes their mind, it should be just as easy to withdraw their consent, as it was to give it.
- Silence is not consent. A ‘clear affirmative action’ should signal the granting of consent.
Inactivity or silence is not considered consent. An action such as ticking a box, or clicking a button is required to confirm consent. A checkbox that is ticked by default is also not considered consent because it did not involve a user action.
- Informed consent.
Before conducting surgery, a surgeon or assisting surgeon would explain the procedure, it’s possible risks, answer any questions about medical terms that we don’t understand, etc. Similarly, a user should be able to understand and be aware of what they are consenting to. Throwing in a bunch of technical jargon when collecting this consent would therefore, defeat the purpose.
It is also mandatory to keep records of this consent after you collect it.
Will this evolve any further?
As it is, complying to GDPR standards is tough, and right now, this level of data protection only applies within the EU. However, it is clear that the rest of the world is also now considering similar regulations (special thanks to “the Zuckerman”).
In future, it could get even tougher and even more strict, similar to how sexual consent laws evolved. A “yes” no longer counts as a “yes” unless it is an enthusiastic “yes”. A “yes” given while intoxicated or impaired doesn’t count as consent. A signature on a document doesn’t count if it has been ‘signed under duress’ or at gun point.
As data privacy laws for tech evolve, will we eventually have to consider these aspects as well? How do we even begin to consider the emotional aspects of consent when consent is provided through a device? As it is, we have trouble determining whether the person granting the consent is of the right age to do so when it is so easy to lie about your age while hiding behind a screen.
Comment below and let me know your thoughts!
How do I manage consent and become GDPR compliant?
This part is for the data controllers and software application developers who are trying to achieve GDPR compliancy or trying to ensure that their functions function in a GDPR compliant manner.
Keep in mind, being fined with a GDPR violation can be just as disastrous for your business as being sued for rape, slavery, or assault! The fines are up to 20 EUR 20 million (€20m) or 4% annual worldwide turnover of the company(whichever is greater).
WSO2’s spring release just made all our products GDPR-compliant and includes functionality that allows data controllers to achieve GDPR compliancy. WSO2 offers a series of seven webinars among other resources that will accelerate your GDPR compliance.
WSO2 Identity Server (which is the product I work with) provides a full consent management solution that can be used to manage consent in identity and access management scenarios and manage consents that belong to third party applications. For instance, you can use our consent management REST APIs to manage consent remotely. WSO2 IS also provides other functionality that fulfil your identity management needs while addressing different aspects of the GDPR.