momius -

Open standards will ease GDPR risk, says Kantara

Open standards will help organisations comply with new EU data protection regulations, while ensuring interoperability and a good user experience, according to a global standardisation group

The use of open standards can help organisations comply with requirements of the EU’s General Data Protection Regulation (GDPR), says Colin Wallis, Executive Director of the Kantara Initiative.

“A key requirement of the GDPR is gathering user consent for collecting personal data, which is an example of where an open specification can be used effectively,” he told Computer Weekly.

Currently, the most extreme use of personal data online is by advertising technology companies to identify which browsers to target with specific ads.

This is the reason the Kantara Initiative – which creates specifications where none exist to meet market needs – chose consent as the basis for one of its specifications.

The Kantara Initiative is a global consortium with private and public sector members dedicated to improving standardisation and best practice relating to digital identity and personal data.

Advertising technology firms typically use cookie matching to select which browser ads are delivered, which means cookies are inspected and those with the right profile are selected.

“But this use of personal data will no longer be allowed by the GDPR,” said Wallis, which has prompted some ad tech firms to lobby Brussels to recognise advertising as a legitimate purpose for gathering data.

Technical solutions

Others, however, have looked to find a technical solution to enable them to comply with the new regulations – but at the same time ensure a “frictionless” user experience.

“These forward-looking ad tech firms are working with Kantara and others in the industry to further develop the group’s consent receipt specification and find practical, workable and frictionless ways of including it in the flow of ad technology,” said Wallis.

A consent receipt is defined as a record of consent used by a data controller as their authority to collect, use and disclose a data subject’s information.

The Kantara Initiative started working on the specification in 2015, in light of the fact the GDPR was under development and consent was known to be a key element of compliance.

“Essentially, we are talking about a file that holds details of consent, such as the purpose of collecting data and how it will be used, that is provided to both the data controller and the data subject,” said Wallis.

“The consent receipt also includes links to existing privacy notices and policies, and relevant information about how that information will be used or disclosed, and can be stored by both parties.”

The consent receipt enables web users to agree to ads from particular brands, which means they will be served ads only from brands they have consented to, while all others will be blocked.

“This is a much better situation than receiving large numbers of inappropriate or unwanted ads, or using an ad blocker where all ads are blocked. It enables a sort of halfway house,” said Wallis.

“Open standards provide a way for ad tech to save itself from itself because it cannot continue in the current form and proprietary standards would not be interoperable – and would therefore not provide a good user experience because everyone would be doing different and separate things,” he said

Starting from an open standard, the Kantara Initiative believes it is the most logical because they are by nature interoperable.

However, under the GDPR, consent alone is not considered to provide a legitimate basis for collecting and processing personal information, and once again the consent receipt can help, according to Wallis.

“A contract is considered to be a legitimate basis, and so ad tech firms could use the fields in the consent receipt, together with a field that describes the value exchange, to create a smart contract between the data controller and data subject,” he said.

Complying with consent

Unlike guidance on consent, Wallis said the consent receipt puts a tool in the hand of ad tech firms that enables them begin process of complying with consent.

“This is a tool. A piece of code that actually proves that you are gathering consent, that you have a record of consent, and both parties have a copy,” he said.

Because it is simply a piece of code, Wallis said the consent receipt is extremely flexible. Ad tech firms or other users can simply modify the fields for any purpose.

“And the interoperability is important because GDPR has a requirement for portability, so if identity management and access control based on open standards is ubiquitous, data subjects will be able to take their data out of service A and put it into service B, which could include all their consent receipts.

“In this way, ad tech firms will be able to comply with consent requirements, contract requirements, and portability requirements with relative ease, while satisfying the business requirement of providing a positive user experience,” he said.

According to Wallis, the Direct Marketing Association (DMA) is still “sitting on the fence”, but the Internet Advertising Bureau (IAB) is beginning to come around.

“In the past, the IAB has tried to pummel Brussels into submission, but even they are starting to consider the alternative approach of trying to bring consent into the ad tech flow,” he said.

Looking to the future, Wallis said the Kantara Initiative is planning to set up a consent management system best practice workgroup to identify best practices in this area across the industry.

“Ultimately, this enables us to build a conformity assessment that will enable organisations to apply for a Kantara Trustmark, certifying compliance with consent management best practice,” he said.

Wallis is to address this topic in more detail at Consumer Identity World Europe 2017 in Paris from 27 to 29 November, in a session entitled: Open standards for marketers - could they help mitigate GDPR risks?

Read more on Privacy and data protection