Consents are essential part of any data privacy project and is managed using a Data Privacy automation tool. Many regulations stipulate processing of personal data on the legal basis of consent. Before moving on the the technological implementation and knowing how to implement consent management system, let us briefly look at the concept of consent. This will help us associate the regulatory requirement of consent with the technological implementation requirement of the organization
Consent refers to the positive affirmation provided by a data subject, relating to processing of her/his personal data. Through consent, a data subject provides her/his approval to an organization for processing their personal data as outlined by the organization in the privacy notice.
This means that organizations need to provide a mechanism to the data subjects for granting and revoking consents through an existing or dedicated form. Consents can be recorded and processed manually or in an automated manner. However, owning to the sheer volume of consents collected and processed in an organization, the manual approach becomes disorganized and cumbersome. Adding to this, manual approach has the disadvantage of the possibility of human error and improper tracking of consents. Thus it is recommended to adopt a consent management platform.
Another important point to consider while implementing consent management is the types of consents. Consents can be preference consents or cookie consents. While preference consents can still be managed manually if the volume of consents is miniscule, it is extremely difficult to implement preference consents manually if the volume is high. Preference consents are typically consents collected for any processing of personal data apart from cookies. For example, consent collected as part of registration, enrollment to a services, opting for marketing emails, etc. In this blog, we will focus more on the preference consents implementation and management.
Now coming to the role of APIs in consent management, it is imperative that organizations must be using CRM systems and other data bases to record customer data. These CRM systems are typically used to send automated mailers such has marketing mails, product updates, promotional emails, offers etc. As per Data Privacy laws, going forward organizations need to take into consideration whether the recipient of these emails have consented to receiving such emails. Thus, consent collection, modification and revocation becomes important.
Moreover, consent collection points can happen at multiple touch-points with the data subjects and these touch-points may be integrated not only with CRM, but also with other internal systems of the organization. Thus, implementing a consent management system is much more complex than it looks. Reason – if a data subject updates her/his consent, it must get reflected across all the associated systems and not only at the initial consent collection database.
One of the way to tackle this issue is to use APIs to push/pull consent records from the Data Privacy Automation tool (consent tool) to/from the CRM and other related databases. This helps in managing and updating data subject consent as per desired schedule and ensures that the consents recorded are uniform right across all the databases, leading to effective consent management.
Below is a sample representation of how consent management tool can be integrated with a CRM system. Consents can be imported or exported from the tool to CRM systems to ensure that business processes are updated as per user preference.
Now let us take an example of marketing email process. Suppose a company provides user preference choices for marketing emails on their website. Consents can be collected from the website using the consent management tool and the same can be updated in the CRM platform (used to send marketing emails). This ensures that users do not receive unsolicited emails. Now another example of using APIs for consent management can be, suppose emails are sent using a CRM and the email contains ‘Unsubscribe’ link. Now this link is deployed using the CRM platform and in order to maintain a single source of truth, consents from CRM must be updated in the consent management tool. In this case, APIs provided by the consent management tool/CRM tool can help in achieving this.
Now that we know how APIs can help with maintaining a single source of truth for consent management, let us see some of the advantages of this approach:
- Maintain single source of truth for all consents
- Real time update of user preferences
- Efficient operations of consent management across the organization
- Integration with multiple CRMs and Data Systems
- Improved scalability
While APIs might be an effective solution, it comes with its own disadvantages. While adopting this approach, organizations must consider compatibility issues and skill-set requirements to implement consent management system. There are few other disadvantages of adopting API approach which includes regular maintenance requirements, security issues, etc.
While using APIs is a very good approach to achieve a synchronized real time consent management systems, organizations are recommended to weigh the pros and cons of this approach and consider the complexity of the data privacy landscape in the organization.
Credits: Muthukumaran Periyaswamy (LinkedIn: https://www.linkedin.com/in/muthukumaran-periyaswamy-6b671159/)