Overview of Consent Management

With Consent Management, you can capture and manage consent as required by GDPR, CCPA, or any other data privacy and protection regulations. You can manage the consent of each person with an active or inactive record that is stored in or outside InfoSphere® MDM.

Starting May 25, 2018, the EU General Data Protection Regulation (GDPR) requires that all organizations worldwide must have the consent of each EU citizen whose personal data they want to process. For more information, see http://www.eugdpr.org/eugdpr.org.html.

Similar to GDPR and other privacy regulations, the California Consumer Privacy Act (CCPA) also requires that organizations that process the personal data of any California resident must gather that person's consent. California residents have the right to know what personal data is being collected about them and whether their personal data will be sold or disclosed to a third party. They must also be given the opportunity to refuse the sale of their personal data and access their own personal data. The CCPA comes into effect on January 1, 2020.

Note: In the context of data protection regulations, the person who owns the personal data that is to be processed and thus owns the consent is called an individual. This term is used throughout the consent management documentation.

Consent is strictly related to a processing purpose, which is the purpose that the personal data of an individual is processed for, such as marketing, analysis, or health. Each processing purpose is associated with one or more processing activities, which define how personal data is processed, such as storing, recording, or disseminating data.

There might be individuals who agree to their personal data being processed for all purposes and activities. However, in most cases, individuals want to restrict their consent. Assume, for example, that you have a shop selling computers and you want to use your customers' personal data for marketing purposes. Assume that you have the following customers with special requests:
  • Customer A wants to receive newsletters regarding new business notebooks on his private email address only.
  • Customer B wants to receive a phone call when a new Lenovo IdeaPad or Apple iPad is available but refuses to be contacted via her business phone number.
  • Customer C is not interested in any hardware or software right now but agrees to be asked again six months later.
  • Customer D wants to receive an email when a new Samsung smartphone is available. However, because customer D is only 15 years old, you need the consent of a parent.
  • Customers E and F agree to their addresses being forwarded to specific car dealers.

With Consent Management, you can handle all of these consent requirements. You can consolidate an individual's requirements regarding one processing purpose in one consent item and specify which consent regulations apply, such as the GDPR or CCPA.

In a consent item, you can indicate whether and when consent was given or refused, whose data is to be processed, and who gave, refused, or withdrew consent. You can also specify whether full, that is, unrestricted consent was given or only partial consent. Partial consent comes with restrictions regarding the personal data, the processing purpose, or both. In the case of partial consent, you have the following possibilities:
  • You can list the personal data that is included in, or excluded from consent. For example, for customer A, you would specify that the private email address is included in the consent. For customer B, you would specify that the business phone number is excluded from consent.
  • You can add provisions, which detail the items that are covered by a processing purpose. For example, for customer B, you would add a provision for Lenovo IdeaPads and Apple iPads. For customers E, you would add a provision that lists the car dealers that are allowed to receive the address.

To create and manage the consent items, Consent Management provides services. To view the consent items for an individual and to change specific consent settings, you can also use the consent management capabilities of the MDM AE/SE user interface.

By integrating the Consent Management feature with Information Governance Catalog, you can use the business definitions for consent in InfoSphere MDM.

Consent Management data sources

The Consent Management feature can be configured to manage consent data for data subjects whose profile information resides either in InfoSphere MDM or external sources. You can manage consent for profiles stored in:
  • Physical MDM - Consent items are associated with physical MDM parties managed in InfoSphere MDM. Users can locate physical MDM profiles using an attribute-based search.
  • Virtual MDM - Consent items are associated with virtual MDM records (of any member type) from InfoSphere MDM. In the MDM AE/SE user interface, consent items are also displayed for entities that contain the associated record. Users can locate virtual MDM profiles using an attribute-based search or look them up using a record ID.
  • External sources - Consent items are associated with external identifiers. Since InfoSphere MDM does not have access to profile information stored in external systems, the consent management areas of the MDM AE/SE user interface can only show the consent items for an external profile.

Depending on your organization's needs and licenses, you can configure the MDM AE/SE user interface to use one, two, or all three of the above data source types.

Note: If you have a license for MDM InfoSphere MDM Standard Edition, then you are entitled to associate consent items with profiles stored in:
  • virtual MDM
  • external systems
If you have a license for InfoSphere MDM Advanced Edition, then you are entitled to associate consent items with profiles stored in:
  • physical MDM
  • virtual MDM
  • external systems