Opt-ins and diversify basis’ for processing data
User consent underpins data protection rights as a lawful basis for processing. The consent-based mechanism is just one lawful basis for processing but the most debated. This is primarily around the slow abolition of opt-out consent as a legitimate mechanism for obtaining consent.
Protecting users sufficiently requires that consent be “affirmative”. This itself is ironing out instances where opt-out protections are seen to be the norm, meaning users are affirmatively sharing their data. This process is becoming more common to ensure compliance with GDPR-style data protection laws. The shift invariably affects user privacy, cementing protections in a more stringent consent-based process.
This privacy protection paradigm puts users at the center. Further, diversifying the basis for processing ensures that obtaining and protecting user data relies upon multiple methodologies, underpinning data usage in legitimacy.
Intersecting internal protections
The internal handling of data should reflect its central importance. Underpinning external practices are internal consistencies in data handling within organizations. Having strong, consistent and detailed privacy practices internally sets a culture which values data and, in turn, data privacy.
Internal norms typically inform other external practices- data handling and safeguarding can assist in establishing respect for data and its value as a norm. Policies and guidelines underpin these approaches in forming a data-sensitive culture.
Data sharing protections
Sharing data always creates a pressure point for misuse and vulnerability unless managed correctly. Despite the GDPR attempting to harmonize data protection standards internationally practical differentiations create gaps in protections.
To best mitigate risk data sharing agreements prescribing standardized data handling and sharing terms should be established. These agreements can harmonize standards, close gaps in protection and set a minimum threshold for compliance thereby promoting user confidence and accessibility.
Elements such as server locations, data encryption, use limitation, packaging of data and data management can be standardized. This not only better safeguards data but sets a best practice standard for each parties handling of data.
Transparency in data use is an underpinning data protection principle. Having consistent, clear and signposted policies allows for users to build their own understanding of how data is safeguarded. Simply users should be informed what data is held, how it is stored, why and how it is used. This allows any consent to data usage to be fully informed and affirmative.
Policies should be worded simply to promote understanding. Even better a user should be able to access, review and amend all data held about them themselves, allowing for autonomy in data sharing that is supported by transparent data management practices.
Privacy protections should anticipate issues and treat regulatory guidelines as floors, not ceilings. With the increasingly complex commoditization of data protections need to develop to ensure that a privacy-centric model of operating is promoted and remains viable.
This involves a cultural framework which values privacy and an implementation-oriented approach to maintaining privacy protections. Harm should be anticipated, assessed and mitigated according to risk.