Imagine you are at a shop and you're ready to pay for the goods. The guy behind the counter asks you for your name and address. Why, you ask, do you need my name and address? You see, the guys says, we have this great loyalty club and if you give us your name and address we store it so we can send you special offers. Oh, you respond, thinking about this briefly. Will you use my name and address for anything else, you ask. Nope, the guy says, only to send you offers.
Data Processing
The clerk basically described their data processing for the loyalty club. The conversation highlights some of the basic information requirements in EU data protection law under the GDPR. It's also clear that none of those requirements are unreasonable. Companies must inform people about the data they are processing, the type of processing (e.g., store), and their purpose for the processing. That's common sense, and common courtesy.
When offering services it makes sense that you provide a clear description of your data processing to users so that they understand what you are asking their consent for. It is a very important piece of GDPR compliance.
This is why are announcing a new Data Processing system in beta today.
The service
Data Processing is an API and corresponding user interface to specify groups of data processing activities in a structured manner. The specifications can be used in consent requests to your end-users, as clauses in your Privacy Policy, and as documentation for your internal control system. Our product Trackerdetect can also generate specifications automatically, based on the trackers found. This makes it possible to have a full end-to-end inventory of the data processing activities, always up to date in your Privacy Policy and Consent requests.
Interface
Signatu users will find the new tool in the Data Processing menu. The main tool is Groups where you can specify your groups and their specifications. The Specifications tool gives you an overview of all the data processing specifications you have defined. While Signatu will provide default texts in a range of languages, you can author any number of custom texts for each specification - e.g., for different languages and/or user groups (e.g., children).
Consent
The Signatu consent UI components are updated to support the new format. You can use a DataProcessingConsent component for the specific specifications, and the new DataProcessingGroupConsent for dynamically building a dashboard of a group, as shown in the example below. You can find the UI components at Signatu@Github.
Policy
To build a Privacy Policy in Signatu you need to answer a questionnaire. A simple data processing specification tool is part of the questionnaire. The questionnaire tool will be replaced by Data Processing once we graduate it out of beta status - i.e., you will be able to import specifications made in the Data Processing tool into a policy. We expect this to be in place by Q2/2018.
Technical corner
If your eyes glaze over when talking technology you can safely stop reading here. If you're interested in the technical details, however, here comes some good stuff.
API
You can create, query and update dpgroup and dpspec through the API available at https://api.signatu.com/dataprocessing/v0. Requests are authenticated with standard OAuth bearer tokens, just as in the Consent API. The token must have the dataprocessing scope.
So to list all the groups in your account:
curl https://api.signatu.com/dataprocessing/v0/dpgroups \
-H 'Authorization: Bearer YOUR_TOKEN'
{
"id": "9a0824f4fa2ca9c4",
"name": "Loyalty club",
"createdAt": "2018-03-12T13:40:54.000Z",
"updatedAt": "2018-03-12T13:40:54.000Z",
"specs": [
{
"id": "ccfc165e20d0f723",
"data": "name",
"purpose": "personalize your experience",
"action": "COLLECT",
"sensitive": false,
"consentTarget": true,
"location": "EU",
"duration": null,
"legalBasis": "CONSENT",
"createdAt": "2018-03-12T14:17:49.000Z",
"updatedAt": "2018-03-12T14:40:04.000Z",
"texts": [
{
"language": "en",
"value": "The loyalty club offers you exclusive offers and content. ",
"id": 13893
}
]
}
]
}
Note that we include both the full list of associated dpspec specifications, as well as their text objects.
As a side-note - there is no need to use the x-api-key HTTP header for this API. We'll only require the Authorization bearer token. We will be rolling out the change in the v1 version of the Consent API as well, but for now you still need to use x-api-key for that.
What's next?
We're still in beta, and we want to hear from you.
If you have suggestions for improvements or find bugs, please notify us at support@signatu.com and we'll address them as soon as we can.
If you signed up for the beta list and haven't heard from us yet - don't worry. We're rolling out gradually to make sure we catch bugs and issues before inviting everyone in.