According to a recent report by Varonis, only 4 out of 10 companies in Europe have made compliance with the GDPR deadline a priority. At this point, this lack of preparation is remarkable.
Consent to process personal data is one of the foundations the GDPR is built upon. For the vast majority of organizations, receiving and documenting Consent will require significant changes to standard operating procedures. These changes will clearly impact those in IT, but the impact on Human Resources, Sales and Marketing personnel may also be dramatic.
How Do You Handle Consent?
To comply with the GDPR you need to understand how your organization handles Consent when using remote access software. Are the reasons for using remote access technologies clearly documented in your employee agreements and service contracts? Do you provide individuals with an opportunity to opt-out of remotely accessing devices where their personal data is stored? Do individuals have the ability to review and remove any personal data created during or after a remote session?
To comply with the GDPR, you need to answer YES to each of those questions.
Remote Access & The GDPR
The link between GDPR mandated consent and remote access software may not be obvious, but consider a few details published in Remote Access and GDPR: A Compliance Odyssey – the first post of this series:
Popular remote control tools VNC and TeamViewer are installed on over a billion devices each. Every version of Microsoft Windows since XP has included remote desktop protocol (RDP). Netop Remote Control, the product I work with, is used in over 80 countries, by half of the largest banks in the world, and by a quarter of the world’s largest retailers.
Your organization is using remote access and remote control software. To understand the implications of Consent, a good place to start is the definition provided by the text of the regulations. Article four of the GDPR defines consent as:
any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Consent – Core Concepts
The definition has three core concepts:
- freely given
- specific, informed and unambiguous indication
- a statement or by a clear affirmative action
First, the consent must be freely given. For consent to be freely given any imbalance of power between the two parties must be reconciled. One such imbalance is the relationship between an organization and a child. If an organization intends to process the personal data of anyone under the age of 16 they must receive parental consent prior to processing.
An imbalance of power may also exist between employer and employee, or in any circumstance where a contract or service relationship exists. Consent to process personal data is not provided by the mere fact of a contract or service relationship. To be freely given, consent must be provided within the context of the specific activity where personal data processing occurs. Data will be processed in several different ways and providing consent to one method of processing does not apply to all others.
Consider the example of a typical company help desk. Individuals who seek assistance from the help desk are likely covered by an employment contract (if they work for the company) or through a service contract (if they use the company to provide help-desk services).
The contract or service agreement will need to include provisions for the collection and processing of personal data like name, address, etc. If a help desk technician feels a remote access session would be useful in resolving a situation, additional details like email address and IP address may be collected to facilitate a remote screen sharing session. These qualify as a separate instance of personal data processing.
Freely given consent requires that data subjects have the ability to identify these separate operations of data processing even though they occur within the context of a single contract or agreement.
Furthermore, consent is not assumed to be freely given if the individual is not provided a mechanism to revoke consent either prior to or during the processing activity.
Going back to the help desk example, for consent to be freely given, the help desk technician will need to receive consent prior to establishing the remote access. Once the remote session is established, the individual needs to have an option of terminating the remote session and removing their consent.
Informed & Unambiguous
The second characteristic of consent defined by the GDPR is specific, informed and unambiguous indication. These terms reinforce the idea of contextually defined, separate occurrences of processing. Consent must be specific to each occurrence.
For consent to be informed and unambiguous, an organization must provide clear and easily understood information of when, how and what personal data will be processed. Organizations should ensure their written documentation includes the rational for using remote access software – what are the specific aims of remote access? what circumstances justify its use? – These descriptions must be clear, easily understood and accessible to the individuals involved in the processing.
The mandate for informed and unambiguous consent also includes the mechanism to revoke consent. The GDPR requires that revoking consent be as easy as granting consent in the first place.
Clear Affirmative Action
The third concept referenced in the description of consent is by a statement or by a clear affirmative action.
The burden for proving that consent was received is placed on the organization who requested it. Consent can be received by written document, oral conversation, on-screen prompts or other similar methods, but it must be documented to ensure compliance. Affirmative action requires the individual data subject to knowingly take the action – this means consent can’t be the default or automatic setting. An individual must explicitly choose to provide consent.
Documentation of consent should include proof the information is provided in a clear and easy to understand way and that no imbalance of power exists that would impact the data subject’s ability to freely give that consent.
In addition to GDPR requirements, individual member states may have their own regulations related to consent. While these regulations can be burdensome for organizations, they are rooted in customer expectations and demands.
On December 19, 2016, the European Commission’s Directorate General for Communications Network, Content and Technology (DG CONNECT) published the Flash Eurobarometer 443: e-Privacy report. The report provides an assessment of attitudes throughout Europe on a range of topics directly related to the GDPR.
One of the key findings from the survey shows that “almost eight in ten respondents say it is very important personal information on their computer, smartphone or tablet can only be accessed with their permission (78%).”
Another key finding, more than 60% of Europeans believe they should be able to encrypt some of their personal data. You can learn more about the relationship of the GDPR to encryption in Remote Access and GDPR Part 2: Pseudonymization and Encryption.
The citizens of European Union member nations are clearly interested in the privacy of their personal information. If you aren’t working on your GDPR compliance strategy, if you aren’t making changes to address consent, encryption, data minimization and protection, you are risking more than a possible penalty, you risk alienating your customers, your users and your employees.
For a comprehensive guide on aligning your remote access solution with the General Data Protection Regulation, check out our free eBook “The Essential Guide to GDPR Compliant Remote Access.”
Subscribe to receive a notification when the next post in this series is released.