‘Consent Proof’ It is an automated, AWS-based service for companies to prove that customer consent has been obtained prior to sharing their personal details with third parties. Customer data is uploaded to a trusted safe haven created specifically for procuring consent so that data does not move outside the company’s control. Customers are solicited from within the Safe Haven and consent to the sharing of their data is proved using Codel which uses cryptographic hashes to create a digitally notarised audit trail that can be demonstrated to the regulator. For a demonstration of how Consent Proof works see the video GDPR Demo
Why is it necessary?
Under the provisions of the General Data Protection Regulation (GDPR), which came into effect on 25 May 2018, banks, insurance, pension companies, in fact any company that holds personal data needs to prove (within certain bounds) that they have the subject’s consent to hold and/or share their data with 3rd parties. There are significant fines for not doing so – up to £20m or 4% of turnover, whichever is greater. Unless there is a legitimate reason for processing personal data without consent, it also requires processors to;
1. Tell clients what personal data they hold and what they are doing with notifying them of their privacy rights as part of the consent process
2. Give clients the right to refuse consent
3. Give them the right to time-limit and/or erase their data
4. Minimise the collection of personal data (collect only what you need)
5. Rights for clients to port and update or correct their data
Financial services in particular often have to share information with 3rd parties – for example whenever there is a loan or mortgage, or whenever there is a credit or data request. Every instance of consent to the sharing of these data may need to be demonstrated to the regulator.
How is Consent Proof Used?
Consent Proof is very easy to use. It is a web-based service which provides administrators with user names and passwords. It provides a method to upload client lists and auto-extracts the data to mail clients from within the safe haven. There is no need to integrate it into back office systems or behind firewalls. All audit trails are kept within the environment itself, with a dashboard that can be exposed to the regulator for simple proof of consent.