Consent Receipts: The future of Personal Data Sharing? MyData 2016 Conference Day 1, August 31st, Helsinki Session: Making Trust Ecosystems Happen

Michele Nati Lead Technologist Personal Data and Trust Digital Catapult, London @michelenati

What is a Consent Receipt?

h"ps://github.com/KantaraIni5a5ve/CISWG/blob/master/MVCR@Spec/MVCR@v0.8/MVCRCv0.7.9.mdC

Recommenda5onCforCstandard,CKantaraCIni5a5ve,CCISWGC

What a Consent Receipt could be useful for?

TaCsC ConsentCNo5ceC ConsentCReceiptC

AgreeCandCForgetC

LieC&CAgreeC

(Pre@service)CConsentCshouldCbe:C@  FreelyCgivenC@  Informed,CunambiguousCandC

specificC@  NoCmoreClegi5mateCinterestC

(In@service)CConsent:C@  Dynamic,CchangeCandC

removeC@  TransparentC@  AuditableC@  BreachesCno5fica5onC

StandardizedCprocessCandCdataC(ConsentCReceipt)C

Consent Receipt Ecosystem

Process to issue a Consent Receipt

AssessmentC

• AssessCprivacyCpoliciesCofCanCorganiza5onC•  ExtractCfixedCpartCofCconsentCreceiptC

Customiza5onC

• CustomizeCconsentCreceiptCgeneratorCforCaCgivenCorganiza5onCandCpolicyC

IssuingC

• CollectCmissing/transac5onalCdataCspecificCtoCtheCcurrentCindividual/organiza5onCtransac5onC(atC5meCofCsigningCforCaCservice)C

• GenerateCaCpersonalizedCreceiptC–CaddCuniqueC“pseudonymous”CIDC•  SendCaCcopyCofCreceipt,CasCplainCtext,ChumanCreadable/informa5veCC(alsoCmachineCreadable)C

Where did we start?

WorkCinCcollabora5onCwithCPhDCCandidate,CTa5anaCStyliari,CUniversityCofCNoanghamC

Our first result

Initial findings

Consent Receipt design & content: ● Icons ●Text to accompany icons ● Colors (related to security level) ● Quick to scan read ●Bulletpoints ● Who, what, why, where, with whom ● Link with more info for each section ● Easy access (mobile) ● Forget me option ●Team/person details to contact for info/complain General Feeling: •  Necessity of the consent receipt: People recognise the need

to have more control over the data they share. •  Identification of a wider societal impact: collect consent

receipts to distinguish your data sharing patterns.

Our implementation

Consent Receipt mockup

What we have learned?

(after involving lawyers !) According to DPA, consent is not required for: a)  the “legitimate interests” of the data controller so long as they do

not override the fundamental rights of the data subject; b)  data that it is necessary to collect or process the data to fulfill a

contract the data subject asked to enter

This might limit the impact of Consent Receipt and confuse end users Solution: we will issue a Personal Data Receipt (GDPR has an “Information Notice” requirement), including all the collected personal data

(PD) Receipt trial aims

•  Educate consumers (visitors) about information receipts

•  Understand the value of information receipts for consumers

•  Increase transparency •  Promote good practices and adoption

of information receipts across a various range of stakeholders

How to make this scalable?

This requires: -  3rd party to provide service assessment

(similar to Privacy Seal assignation) -  Standardized Privacy Policies to make it

scalable -  A standardized (Consent) Information

Notice to guarantee interoperability -  Maintain easiness of understanding

from end-users -  We will combine with BSI PAS 4891

Initiative

BSI PAS 4891

•  Recommendation on how organizations communicate how they use customers personal data online

•  Define the categories of information

•  Provide an initial icons mockup •  Can be used in layered privacy policies

(and information notice)

Why Digital Catapult is doing this?

Here to help grow the UK’s digital economy

Office of National Statistics shows only 7% of UK national output comes from the digital sector significantly behind the global leader South Korea at 11%.

DIGITAL CATAPULTS

Here to accelerate economic growth and productivity for the UK

1

A not-for-profit, private limited company 2

Completely neutral

3

HOW DO WE DO THIS?

1.Through adding technological, business expertise and academia

o  Help SMEs to scale faster

o  Help businesses with digital transformation

2.Tackle large scale digital challenges that are too complex,

financially risky or take too long

3.Use Research & Development to open up new markets and

commercial opportunities

FIVE CENTRES ACROSS THE UK

We work across the UK with •  Digital communities •  Innovation clusters •  Businesses (all sizes) •  Public sector •  Research •  Government •  Universities and academics •  Not-for-profit organisations

WE WORK ACROSS A RANGE OF TECHNOLOGY LAYERS

Next generation Internet:

Internet of Things, distributed ledger technologies, decentralised web, 5G and low powered wide area networks

Data-driven: trust, privacy, identity and security

Intelligent: machine learning and artificial intelligence

Personal Data and Trust Network

PDTNC

SMEsC

CorporatesCUniversi5esC

600+ Innovators in Personal Data and TrustC

We help others work together.

Want to contribute?

Get engaged with us and

help to replicate!!

THANK YOU!

#DigiCatapult

info@digicatapult.org.uk

0300 1233 101

Digital Catapult

digicatapult.org.uk

/DigitalCatapult

@DigitalCatapult