When the EU Basic Data Protection Regulation (DSGVO/GDPR) comes into force on 25 May this year, you as a company will need "explicit consent" to legitimise specific forms of data processing. The current fuss about DSGVO/GDPR is great and the legal departments and data protection officers are getting smoking heads, the two essential issues must be clarified without a doubt: What is explicit consent and where does it have to be obtained explicitly?
Explicit consent can be considered in the same way as the standard requirements of the basic data protection regulation (DSGVO) for obtaining consent. Nevertheless, the enchanting difference is that the express consent of this kind must be obtained by the final consumer, leaving no room for misinterpretation. In plain language, the final consumer must be given a clear statement of choices, in writing or by voice, which accurately refers to the element of data processing that requires explicit consent. The statement of factual analysis should disclose all detailed knowledge and consequences of the information to be transferred and the associated transfer risks.
In addition, the conditions for express consent must comply with the definition in the DSGVO. This means that consent must be obtained explicitly. The clear consent of the party ticking a box is mandatory, a pre-checked box is illegal. The basic data protection regulation (DSGVO) provides for additional changes, such as dealers, medium-sized companies, groups and also associations must obtain their consent.
- Ensure that consent forms are kept separate from other terms.
- Consent should not be a prerequisite for registration for an event or service, unless it is necessary in that case.
- A precise and detailed explanation of the separate opportunities for consent for different categories of processing
- Indicate exactly which companies or third parties are dependent on the consent, e.g. accurately defined categories of third party manufacturers are not accepted by the DSGVO.
- Keep records of what the person has consented to, what has been mediated and when and how the consent was given (time stamp).
- Make it clear to people that they have the right to revoke their consent constantly and in any case ensure that the process of revocation is as smooth as that of consent
- Check that there is no imbalance in the relationship between the person and your company name.
The basic data protection regulation (DSGVO) is on your doorstep. On 25 May 2018, the time has come. Since the new-fangled regulation sometimes provides for drastic sanctions, it is absolutely necessary that you make your company name and your data warehouse fit for modern law. For example, the law firm Dr. Bahr offers you a checkup with 12 questions, with which you can get all recommendations and tips and tricks as PDF for free download.
Everything could be done without personal data. There is a lot to do in your company and your operated data warehouse. The personal data that you manage in your data warehouse or process in a business intelligence solution must be made anonymous. By means of anonymisation, these are finally no longer subject to the law of the DSGVO, where testing and proof are no longer required!
Currently, the DSGVO is causing a pronounced stir within the solutions for Business Intelligence, which are used as a data processing platform in companies. All data collections and BI processes are put to the test and must undergo necessary anonymisation (optimisation) in order to get out of the scope of the DSGVO regulation.
Data anonymisation in your data warehouse is a method of preserving data protection, while retaining the original nature of your data to a large extent. In the European Union this is a legal requirement for companies. A basic requirement for data anonymisation is the omission of sensitive personal information from documents (contracts), annual reports, customer analyses or business system data records.
The first elementary requirement is likely to be to delete all information that can easily lead to the identification of principals, such as employees in a banking environment or large, widely used company names. This allows BI solutions to maintain their integrity and must replace sensitive data with fictitious substitute data. Sensitive data from real customers and entities are replaced by fictitious data. A direct approach would be to replace first names with fictitious first names and surnames with fictitious surnames. In multi-layered heterogeneous systems, the environment consists of several operational systems, online database services, data warehouse and other systems that cover extensive business processes and make it difficult to make personal data anonymous.
It is advisable to fall back on specialists who have experience with the new data protection guidelines and know-how in the area of data warehouse / business intelligence. To be correctly positioned on 25 May 2018 and not to get to know the inconveniences of the DSGVO at all is admittedly sensible, as this can be extremely cost-intensive and unpleasant.
Numerous operators of web pages also have such a queasy feeling and are afraid of being warned against the law firms. The gym around their corner, the children's and organic food store in the city centre or their familiar online shop for household goods are also affected. What do you need to consider when you use your website for professional purposes? The following measures must be observed urgently:
- A data protection consent is only credible from the age of 16, it is intended to make it more difficult for younger teenagers to register within social services/platforms such as Facebook or Instagram.
- The use of Google Analytics, Google AdWords or within Marketing Automation such as Marketo or Mautic must be explicitly pointed out to the collection of personal data in the privacy notice
- When placing social media icons on your website (e.g. Facebook, Twitter, XING, LinkedIn or predefined LikeButtons) it must be ensured that no information of the visitor is collected without his or her consent and it must be expressly pointed out in the data protection declaration including the possibility of revocation
Tip 2: If you update your current data protection declaration, carry out some improvements in content and observe the further development of the EU basic data protection regulation (DSGVO/GPDR), then you are in an acceptable position in the first step.
Tim Erben, Head of Marketing, has been working for CoPlanner Software und Consulting GmbH since 2019. Prior to that, he was Head of Digital Marketing at pmOne AG for over 9 years and worked for various companies in the fields of Business Intelligence, Performance Management and Enterprise Content Management. Tim Erben focuses on topics such as corporate / online marketing strategies, modern marketing: content, automation and analytics to drive growth.