Kantara Initiative Assists With EU Privacy and GDPR Issues
4.4.2017 securityweek Privacy
The US-based Kantara Initiative announced today that it has joined the European Trust Foundation to help its non-EU government and corporate members engage with Europe on pan-jurisdiction federated digital identity, trust and privacy initiatives.
The advent of the General Data Protection Regulation (GDPR) turns Kantara's development of good business practices into legal requirements for any enterprise that has a single customer within the European Union. The new alliance will make it easier for US business to engage with the European Commission over such issues.
There are still fundamental misconceptions in the common understanding of the GDPR: firstly, that it only involves European companies; and secondly, that it solely concerns the protection of personal data from being hacked. Neither are true. Any company anywhere in the world that trades with Europe is affected; and data protection now involves far more than the protection of data. GDPR shifts emphasis from company security to involved customer protection: secure customer relations are now a focus.
The issue is demonstrated by GDPR's 'consent' requirements. For a business to process personal data, it must now obtain consent, defined in article 4(11) as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
The detail, requiring explicit informed consent (tick boxes and obscure T&Cs are no longer sufficient) will require changes to business practices. But consent can also be withdrawn -- and that will require changes to business processes. Commercial enterprises will need to manage consent as effectively as they manage identity; and indeed, the two become woven together.
This is where Kantara comes in. Its Consent Receipt Specification is a record of consent provided to an individual at the time the consent is given. The purpose is effectively to verify a consent contract, but it also provides a mechanism for the withdrawal of that consent. Coupled with a second evolving Kantara specification, User Managed Access (UMA) -- which enables the user to control how his or her data is shared -- these new initiatives could help provide a solution to the GDPR consent requirements.
Kantara's new relationship with the European Trust Foundation, which has a history of working closely with the European Commission, will help US consent mechanisms be accepted as adequate for the GDPR. But it is not just a one-way matter of compliance. It doesn't simply provide part of the legal basis for the transfer of personal data out of the EU; it is also part of the legal basis for making automated decisions relating to that personal information.
Consent receipts and user managed access are not simply a GDPR solution, they are good practices for the modern world. User trust in vendors' use of PII is low. If that can be improved so that secure customer relations can replace old-style hidden and obfuscated personal data collection, then new avenues for business will emerge.
But whatever solutions to GDPR requirements are chosen by US (or any non-EU) business, they will need to be accepted as adequate by the European Union -- and this is the aim of the new relationship between Kantara and the European Trust Foundation. "The European Trust Foundation aims to provide a valuable service to Kantara members located outside of Europe by helping to streamline the engagement process with the EU," said Colin Wallis, executive director, Kantara Initiative. "The foundation and organizations like Kantara act as a 'staging area' to help expedite the process of gathering information and presenting a common voice for non-EU countries to approach and engage with the EU on GDPR."