Developer forum

Currently discussing: Plans to implement a Consent module for GDPR compliance.

Join the discussion!

Forum » Feature requests » Consent module - any plans yet?

Consent module - any plans yet?

Kevin Steffer
Kevin Steffer
Reply

Are there any plans on how to implement a consent module for the new GDPR?

Replies

 
Adrian Ursu
Adrian Ursu
Reply

+1

 
Nicolai Pedersen
Nicolai Pedersen
Reply
This post has been marked as an answer

Hi All

We are working out the details - but yes, there will be a number of features related to this. So far I have these 3 on the agenda.

  • Show a users data (cookies, visits etc), maybe a couple of new features to the cookie manager
  • Right to be forgotten - delete or anonymize everything for a user/visitor
  • Explicit consent feature - updated version of "Allow email" but in a way that handles any number of consents related to users/visitors.
    • A related table with consents for users/visitors that cannot be imported. Have to click a link to provide the consent and a token and information about the consent will be generated
    • Forms, Users and Checkout are modules that will be able to create consents.

If you have furhter thoughts, please let me know.

Votes for this answer: 1
 
Adrian Ursu
Adrian Ursu
Reply

Hi Nicolai,

Very good to know you are on top of it :)

From what I understand from a couple of discussions with local lawyers, right to be forgotten means deleting everything. Anonimization is not enough.

And I believe there are a few points/options that we need to give to our customers:

Some of the personal data rights under the GDPR (copied from a document):

Right to Data Portability: Your “data subject” (visitor or customer) can receive any personal data he or she has provided to the “controller” (your organization), which that individual can then pass along to another enterprise without “hindrance” from you.

 

Right to Erasure/Right to be Forgotten: The “data subject” can request that you erase any personal data about him/her, “without undue delay.”

 

Right to Object: The visitor/consumer can object to you processing their personal data, unless you can demonstrate good reasons for doing so that override the person’s interests.

 

Right of Access: Individuals have the right to get confirmation from you as to whether or not you’re using their personal data, in which case, they are granted the right to access it.

 

Right to Rectification: A person can ask you to rectify/correct any inaccurate personal data you’re holding about him or her.

 

Right to Object to Profiling (by automated processes)- this is akin to tracking, and a consumer has the codified right to object to this activity. 

 

Maybe it would be useful to set up a sort of GDPR module similar with the Customer Center. Where you have templates and logic for multiple points and that can be extended in time.

I hope it helps.

If you think it is useful, I can send you relevant links and documents that can provide you with insights into how others are doing it or how lawyers recommend to prepare for GDPR.

Thank you,

Adrian

 
Nicolai Pedersen
Nicolai Pedersen
Reply

Hi Adrian

Thanks, very useful and nothing I have not seen before though. But would always like the links for further input.

When I mean anonymize I mean deleting the user but not the activity (statistics/history) which is ok. So anonymizing an order i.e. would be removing name and address, but not the order it self.

I am also thinking module like you suggest, but also some other features. I.e. a consent system that can provide consent in different 'levels' (i.e. low, medium, high). Where low is when you cheat and add a consent programatically, medium is one where the constent has happened in the context of a user/visitor session (you could cheat by impersonating) and high where an email has to be sent to validate the consent. And basically be able to ask for consent for whatever you feel like - i.e. newsletters, acceptance of cookies, submitting a form and ask for consent to contact the customer etc.

BR Nicolai

 
Adrian Ursu
Adrian Ursu
Reply

Hi guys,

I have another point that I want to include in this discussion.
Breaches. I know that breaches can be of a various type and are very hard to prevent and identify.

According to GDPR requirements, we need to be able to prevent and identofy breacjhes as well as report them.

I am thinking maybe it worths considering an improvement of the Backend authentication that can include some sort of "approved device". Similar with what happens when you log-in in your dropbox account from a different computer. Ths can trigger a notification to the Master admin of the site (or the Data Protection Officer).

Not sure how this type of verification is done but it can present itself as a differentiator for the CSM industry while also solving a GDPR requirement.

Thank you,
Adrian

 

 
Anders Ebdrup
Anders Ebdrup
Reply

+1

 
Anders Ebdrup
Anders Ebdrup
Reply
+1
 
Peter Leleulya
Peter Leleulya
Reply

+1 Good to see you're on top of it ...

 
Adrian Ursu
Adrian Ursu
Reply

Hi Nicolai,

Any update on the date when we can start playing with the new GDPR modules?

Thanks,

Adrian

 
Nicolai Pedersen
Nicolai Pedersen
Reply

An example of how to collect and check for consents in code. A more high level and easy to use API will be ready in a later 9.4 release streamlining the process.

The code below requires that you have created an activity and have the ID of it.

        public string ConsentExample()
        {
            string currentVisitorId = Dynamicweb.Context.Current.Request.Cookies["Dynamicweb"]?.Values.Get("VisitorID");
            ActivityService activityService = new ActivityService();
            Activity activity = activityService.GetActivityById("Activity1");
            ConsentService consentService = new ConsentService();
            Consent consent = consentService.GetConsentById(activity.Id, currentVisitorId, "Visitor");
            if ((consent.Status == ConsentStatus.Given))
            {
                // Visitor has given consent - track or whatever.
                return "<script>trackingscript();</script>";
            }
            else
            {
                // Visitor has not given consent - display a "Give consent button" or record that the user has given us a consent
                
                if (Dynamicweb.Core.Converter.ToBoolean(Context.Current.Request.GetString("GiveConsentForTracking")))
                {
                    consentService.GiveConsent(activity.Id, currentVisitorId, "Visitor", ConsentRequestInfo.FromRequest(Context.Current.Request));
                    return "Thank you!";
                }
                else
                {
                    return "<a href=\"Default.aspx?ID=123&GiveConsentForTracking=True\">Yes, please track me</a>";
                }

            }
        }
 
Per Søgaard
Reply

Questions about GDPR module and Newsletter consent forms:

When will the GDPR module be ready so we can test try it out and see how much work we need to do to set it up and find out what to tell the customers about time/price?

Will the newletter signup 2 x consent functionality (confirm by clicking link in a mail) be free for all or a part of the GDPR module?
When will this be ready so we can test try it out and see how much work we need to do to set it up and find out what to tell the customers about time/price?

 
Adrian Ursu
Adrian Ursu
Reply

Hi Nicolai,

I am also concerned about the modules and my customers are pressing me for details about GDPR compliance and I have very little I can tell.

9.4 seems to have a lot of performance issues (at least current versions) and there is no sign of the GDP modules apart from a video screencast.

Please give us some visibility on the plans.

Thank you,

Adrian

 
Nicolai Pedersen
Nicolai Pedersen
Reply

The first version of the consent module was released on April 11th in 9.4.9

The plan as communicated on https://www.dynamicweb.com/gdpr

  • We will release 2 modules/apps
    • Consent module for collecting and managing consents. Release in first version. Can collect consents from forms and newsletter signups (Create user) and using email marketing you can sort out users who did not give a specific consent. Next version will contain the ability to collect consents from checkouts and view and withdraw consents from the frontend.
    • Data protection module to support "Right to access, portability and to be forgotten". In progress and due for release within the next 2 weeks.

The module was covered and demoed in this webinar: https://www.dynamicweb.com/resources/downloads/gdpr-website-compliance

Here you can find a short internal demo: https://www.useloom.com/share/6875f73f552c487daf15bc6986a01ac0 and I also attached some screendumps.

Free, Express and standard will only get the modules if the add-ons are purchased. This has been communicated in newsletters. All-in-one full version have the feature included.

BR Nicolai

Capture.PNG Capture1.PNG Capture2.PNG
 
Adrian Ursu
Adrian Ursu
Reply

Thank you Nicolai.

Adrian

 
Per Søgaard
Reply

So the GDPR "module" is all GDPR related functionality and the Newsletter signup with e-mail verfication is a part of the "module" and is not availible on small licenses without bying the add on module?

 

 
Nicolai Pedersen
Nicolai Pedersen
Reply

@Per: Yes - GDPR is 2 modules, "Consent" and "Data protection" collected in one administration called "Data Processing". All the features are only available if you have the add-on on small licenses.

It would not make sense to have the Email marketing consent sorting if you do not have the collect consent feature...

 

You must be logged in to post in the forum