Developer forum

Currently discussing: Plans to implement a Consent module for GDPR compliance.

Join the discussion!

Forum » Feature requests » Consent module - any plans yet?

Consent module - any plans yet?

Kevin Steffer
Kevin Steffer
Reply

Are there any plans on how to implement a consent module for the new GDPR?

Replies

 
Adrian Ursu
Adrian Ursu
Reply

+1

 
Nicolai Pedersen
Nicolai Pedersen
Reply

Hi All

We are working out the details - but yes, there will be a number of features related to this. So far I have these 3 on the agenda.

  • Show a users data (cookies, visits etc), maybe a couple of new features to the cookie manager
  • Right to be forgotten - delete or anonymize everything for a user/visitor
  • Explicit consent feature - updated version of "Allow email" but in a way that handles any number of consents related to users/visitors.
    • A related table with consents for users/visitors that cannot be imported. Have to click a link to provide the consent and a token and information about the consent will be generated
    • Forms, Users and Checkout are modules that will be able to create consents.

If you have furhter thoughts, please let me know.

 
Adrian Ursu
Adrian Ursu
Reply

Hi Nicolai,

Very good to know you are on top of it :)

From what I understand from a couple of discussions with local lawyers, right to be forgotten means deleting everything. Anonimization is not enough.

And I believe there are a few points/options that we need to give to our customers:

Some of the personal data rights under the GDPR (copied from a document):

Right to Data Portability: Your “data subject” (visitor or customer) can receive any personal data he or she has provided to the “controller” (your organization), which that individual can then pass along to another enterprise without “hindrance” from you.

 

Right to Erasure/Right to be Forgotten: The “data subject” can request that you erase any personal data about him/her, “without undue delay.”

 

Right to Object: The visitor/consumer can object to you processing their personal data, unless you can demonstrate good reasons for doing so that override the person’s interests.

 

Right of Access: Individuals have the right to get confirmation from you as to whether or not you’re using their personal data, in which case, they are granted the right to access it.

 

Right to Rectification: A person can ask you to rectify/correct any inaccurate personal data you’re holding about him or her.

 

Right to Object to Profiling (by automated processes)- this is akin to tracking, and a consumer has the codified right to object to this activity. 

 

Maybe it would be useful to set up a sort of GDPR module similar with the Customer Center. Where you have templates and logic for multiple points and that can be extended in time.

I hope it helps.

If you think it is useful, I can send you relevant links and documents that can provide you with insights into how others are doing it or how lawyers recommend to prepare for GDPR.

Thank you,

Adrian

 
Nicolai Pedersen
Nicolai Pedersen
Reply

Hi Adrian

Thanks, very useful and nothing I have not seen before though. But would always like the links for further input.

When I mean anonymize I mean deleting the user but not the activity (statistics/history) which is ok. So anonymizing an order i.e. would be removing name and address, but not the order it self.

I am also thinking module like you suggest, but also some other features. I.e. a consent system that can provide consent in different 'levels' (i.e. low, medium, high). Where low is when you cheat and add a consent programatically, medium is one where the constent has happened in the context of a user/visitor session (you could cheat by impersonating) and high where an email has to be sent to validate the consent. And basically be able to ask for consent for whatever you feel like - i.e. newsletters, acceptance of cookies, submitting a form and ask for consent to contact the customer etc.

BR Nicolai

 
Adrian Ursu
Adrian Ursu
Reply

Hi guys,

I have another point that I want to include in this discussion.
Breaches. I know that breaches can be of a various type and are very hard to prevent and identify.

According to GDPR requirements, we need to be able to prevent and identofy breacjhes as well as report them.

I am thinking maybe it worths considering an improvement of the Backend authentication that can include some sort of "approved device". Similar with what happens when you log-in in your dropbox account from a different computer. Ths can trigger a notification to the Master admin of the site (or the Data Protection Officer).

Not sure how this type of verification is done but it can present itself as a differentiator for the CSM industry while also solving a GDPR requirement.

Thank you,
Adrian

 

 
Anders Ebdrup
Anders Ebdrup
Reply

+1

 
Anders Ebdrup
Anders Ebdrup
Reply
+1

 

You must be logged in to post in the forum