Giving consent to your personal data, but how will it be used?
- Posted on February 6, 2018
- Estimated reading time 3 minutes
My name is Petri Aalto, I'm married, a father of two children and I live in Finland. I can honestly say that I don’t know all the web sites where I have registered in the past and shared my personal information. I also don't know how the websites are using my personal data. And this is why the upcoming EU General Data Protection Regulation (GDPR) is important for consumers.
The EU GDPR, which comes into effect on May 25, 2018, requires organizations to collect and process personal data only in a lawful, fair and transparent manner relating to the data subject. But how do I, as a consumer – and data subject - know where and for what purpose I actually gave my personal data? This is especially true when a web page will not continue unless the user ticks a check box after 20 rows or more of legal text. Giving consent by ticking a check box is a fast and simple task that makes it easy to understand what I have agreed upon.
Honestly, while I do not read the 20 rows of legal text since I’m not a legal attorney, I answer YES to be able to continue on the web page. For example, while I recently scheduled a haircut through a website, I allowed my barber’s online store to use my personal data, which includes their subsidiary that sells alcohol and cigars. They can now send me emails and offer selected cigars and cognac based on analytics and customer segmentation. The analytics identified me as a middle-class man, paid with credit cards, who purchases haircuts and shaving services. When compared to others with similar behavior, website analytics target me as someone who may want to buy cognac and cigars. But did I give my consent to this? No way, I just wanted to schedule a haircut and shave using their online web services.
Legally, I gave my consent freely by checking the box YES but did I read the 20 rows? NO. And this is the problem in many cases. There are excellent online stores but all the terms and conditions where I give my consent are hidden in a mass of text that – as we all know – most people do not read. Or even worse, I cannot accept, or withdraw, my consent on a call to my bank, where I need to give my personal information to the service agent to identify me.
So I have some tips for developers when designing new online applications that store personal information. You must do the following 3 things:
1. Perform what's called a Data Protection Impact Assessment (DPIA) to ensure you are considering all types of personal data that the app may capture. This includes name, email address, geography and other forms of data such as credit card information, birthdate, etc.
2. Start the security review from the design phase and build security controls and monitoring into the service. Tap concept and UX designers to design the online store and implement a best-in-class user experience for your customers.
3. And, finally, spend a good amount of time thinking about how consumers will understand where they, as a customer, gave their consent to their personal data and provide them with information on how it will be used. Hopefully, in less than 20 rows of text and language that the data subject can understand.