Trust as a Service

​In May 2018 the General Data Protection Regulation comes into force and EU citizens will get more control of their personal data. For those of you who have never heard of the General Data Protection Regulation (GDPR for short), it is the biggest change in privacy law and regulations in over 20 years in Europe. The European Commission aims to give EU citizens back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Norway will, as a EEA member, also implement this regulation.

The new rules include provisions on:

  • The right to be forgotten
  • Privacy by Design
  • “Clear and affirmative consent” to the processing of private data by the person concerned
  • The right to transfer your data to another service provider
  • The right to know when your data has been hacked
  • Ensuring that privacy policies are explained in clear and understandable language
  • Increased territorial scope, which means that GDPR also applies to organisations that are not located within the EU, but that offer goods or services to, or monitor behaviour of data subjects in the EU
  • Stronger enforcement and fines up to 4% of a firm’s total worldwide annual turnover, as a deterrent to breaking the new rules.

What does this mean?

Responsibilities will increase when it comes to accountability and demonstrable compliance. The individual’s rights will be strengthened by the new law, which means we must give our users and customers more control over their data to be compliant.

There are four legal grounds Telia Company relies on for data processing activities; legal requirement, performance of a contract, legitimate interests and a individual’s consent. GDPR strengthens the data subjects (a natural person whose personal data is processed) rights, especially when it comes to ensuring individuals understand how their data is being processed, how to give consent and object to such processing. Companies can no longer use long illegible terms and conditions that is a “take it or leave it” deal. Consent must be freely given and we cannot require data and processing of data that is not required for the performance of the service as a prerequisite for using that said service. It is our responsibility as the data controller (the entity that determines the purposes, conditions and means of the processing of personal data) to be able to demonstrate clearly how consent was gained, when and for what purpose at all times.

There is an obvious legal need to be compliant, but privacy is rapidly becoming the defining issue of the digital era, where consumer trust is essential for our success beyond just compliance. “On the customer’s terms” is one of the foundations for the Telia brand promise and we believe that in order to successfully deliver on that, we have to consider GDPR an opportunity — not a burden.

Trust as a Service

At Telia Next in Norway, we are developing a global Consent Management Service that has the goal of providing Trust as a Service (TaaS) between the interactions end users have with digital services provided by us, our partners or external customers of our platform. It is a flexible service that can be used with Telia’s Identity Service or with the partner/customers’ own identity solution. It consists of a set of APIs that allows for:

  • delivering consent in a format that links GDPR notice requirements into a human and machine readable format
  • bringing your own UI or integrate with Telia Identity to get continuously improved and tailored consent interactions through user tested and validated dialogues and privacy dashboards

It is delivered through the Telia developer platform, which purpose is to provide innovation as a service towards external businesses and startups, as well as internal Telia services and products.

Open and standards based

Telia Consent Management is based on open standards like the UMA protocol and consent receipts. UMA (User-Managed Access) is an award-winning OAuth-based protocol designed to give an user a unified control point for authorising who and what can get access to their online personal data, content, and services, no matter where all those things live on the web. The consent receipt specification is focused on the legal requirements for consent notices and enables effective governance. It is a record of a consent provided to an individual at the point when a person agrees to the sharing of personal information. It’s purpose is to capture the privacy policy and its purpose for sharing personal information so it can be easily used by people and services to communicate and manage consent and sharing of personal information, once it is provided.

The Consent Management API is a serverless RESTful API that is designed for scale. A serverless architecture eliminates server stack management and reduces development time. We are using JSON Web Tokens to securely transmit information between the different parties. JWT is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties in a signed and/or encrypted JSON object.


We are working on getting the first version, a minimum viable consent, of the API ready by Christmas. We will continue to iterate on the service after that with new functionality like consent on behalf of other people, for example parents consenting on behalf of their children. Our goal is to deliver a Consent Management Service that enables compliance with the new GDPR consent requirements by early 2017.


Do you consider yourself a Privacy Evangelist? Do you want to work with us to develop user friendly profile and privacy management tools and user experiences? Contact us here!

Like what you read? Give Linn Hege M. Bade a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.