Taking a further look on transparency and consent
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
Given the state of current technological increase and the clear indication of how companies will depend heavily on the use of more data in the pursuit of growth, I think it is imperative for companies to increase their transparency levels and consent management. I have written in this space on a peripheral level of how these two important pillars within the privacy framework can make or mar a company’s reputation and expose them to regulatory fines. In this week’s piece, I intend to get into some granular details on how companies can solidify their transparency and consent methodologies.
Let’s start with an example. Zeezus is a CRM (Customer Relationship Management) company and sells their platform to clients via a subscription-based model. Their marketing manager has been approached by clients about an increased need for them to be able to monitor their sales team specially to cover their daily activities. The marketing manager of Zeezus considers the idea, shares it with his team and he gets a greenlight to go ahead with the additional feature on the platform.
The marketing manager kicks off the project, works with developers on a tight deadline and some weeks later they now have a fantastic product that is ready for launching. They get sign-off from various departments of the company, including their privacy team. However, the privacy team focuses only on the security and leaves out the transparency part of things – they fail to include in their privacy notice about this new feature and only focus on reaching out to their clients. What’s worse, some of their merchants began to use the feature without informing their employees.
So, it happens that one employee comes to work, makes a few phone calls and begins to chat with another colleague about football and other non-company topics. The client finds out about this and terminates the sales rep’s job on that basis. To the chagrin of this client, they begin to get letters from the data protection supervisory authority about excessive intrusion of privacy and a need for an audit of the company was raised. The client’s claim was he bought it from Zeezus Limited and used the service. Upon asking whether they informed the employees about this new development and what the data protection supervisory authority considered to be espionage/surveillance, the client answer was a blatant no. Unfortunately, for that company, they were fined for excessive intrusion, lack of transparency in business processes and a lack of organisational measures.
There is no other way to put it. Transparency is one of the most critical pillars in data privacy. Once a business process changes that might expose individuals from a privacy perspective, data controllers and data processors must factor in the notification piece and how they must notify data subjects or clients to avoid any mishap in the new process.
Added to the transparency methodology, companies must now pay attention to the consent management process tied to the new process and whether they would need an opt-in/opt-out function in the whole process and this must be tied to the technical processes in handling such requests.
- business a.m. commits to publishing a diversity of views, opinions and comments. It, therefore, welcomes your reaction to this and any of our articles via email: comment@businessamlive.com