An Introduction to GDPR Compliance in an Azure environment
GDPR is short for General Data Protection Regulation, it is a European Union law created to protect personal data to be collected and used without the user's consent.
In this article, we will describe the required steps to be GDPR Compliant when we are talking about collecting, storing, and using user data. Also, as GDPR Compliance is a whole new world with its own semantics, huge attention will be given to the terminologies that we usually find when talking about consent management.
To finalize the article, we will give also a brief description of how to collect users' consents to access Microsoft services, such as calendars and messages from Exchange in Microsoft 365, using Azure AD Consent Framework.
There are different types of GDPR Compliances, but the focus of this blog post will be on General Consent Compliance. Below is an overview of the three types of GDPR Compliance:
Cookie Consent Compliance
This compliance type is related to receive users’ consent before using any cookies, except strictly necessary cookies. The data and the purpose that each cookie tracks must be detailed in an accurate and specific way before consent is given. Also, if consent is not given, then this should not block users from using your service.
User’s consent must also be documented and stored. Withdrawing the consent must be as easy as giving it.
App Consent Compliance
Mobile applications should also collect users' consent before collecting and sharing their data. This consent may be given once when the mobile application is used for the first time, or it can be given before a functionality that collects user data is used.
For example, the user may be required to give consent to the mobile application to track his location when the application is used for the first time, or the user may be required to give consent to the application to access his location every time the tracking functionality is used. The consent must be given, no matter if once or if the consent is given every time is required.
Any consent requested must be clear on how and why this information is going to be collected. Users must be allowed to easily remove the given consent as well.
General Consent Compliance
The general consent compliance process involves obtaining consent from users before storing their data, with a clear description of the purposes on how the data subject will be used by the data processor. Obtaining the consent could be in a Single or Double Opt-in, depending on the requirements.
Also, the general consent compliance framework demands the possibility for users to easily withdraw or update their preferences, including the ability to completely withdraw the consent or removing it for one or multiple purposes.
To fully understand the GDPR requirements it is vital to understand the terminologies and their meaning. Below, GDPR's main terminologies and processes are described.
A data subject is any person formally residing in the EU who has their data collected, held, or processed by a data controller or data processor. When we consent our information to be stored, held, or processed by any data controller or data processor then we are the data subjects.
A data controller refers to the entity responsible for determining the purpose and lawful basis for processing personal data.
In short, data controllers are the ones who decide on why and how data subjects are being used and collected.
The data processor is the entity that collaborates with the data controller, which refers to the individual responsible for processing personal data on behalf of the data controller.
Processing involves any automated or manual operation performed on personal data or subsets of personal data, including the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, and so on.
Refers to any information related to a data subject that can directly or indirectly identify a person's identity, as it relates to their private, professional, or public life. This information includes name, email address, photos, or even bank statements.
Purposes are the key building blocks of Consent Management and are needed to set up Collection Points and Preference Centers.
A person's consent is always stored against a defined purpose for which their data is collected or processed.
Obtaining the Consent
Obtaining consent from the data subject refers to any “freely given, specific, informed and unambiguous indication” that the data subject agrees to the processing of personal data related to them. Data subjects can provide consent with either a statement or explicit affirmative action.
There are two different ways to obtain the consent of the data subject, the single opt-in and the double opt-in.
The Single Opt-In method is the simplest one. It occurs when the person agrees to have his information collected. This agreement can be in many ways, but the most common is through a check box in a web form, or through a dialog box.
The Double Opt-In is a more complex, two-steps method. The double opt-in starts with a regular single opt-in, the difference is that the person receives a confirmation mail in their mailbox whereas the person must click on the link to confirm the consent.
Withdrawing the Consent – Opt-Out
Withdrawing the consent, or Opting-Out must be as easy as giving it. The person may withdraw the consent related to one or all purposes.
Preference management is usually handled by a preference center dashboard, whereas customers can manage their subscription preferences. In the preference center, customers should be able to set their preferences in a more granular way, other than being able to opt-in and opt-out through their different content choices, For example, customers should be able to set the frequency when they would like to be contacted.
If you give your customers the unique possibility to opt-out through your preference center, it's a good practice to review this strategy with the marketing team since it is through the right preference management strategy that you will be able to bring more value to your customers, reaching them when they want and with the content that they are more interested into.
Preference Centers is the name given to the pages used to update communication preferences. In the preference center, users can choose their subscriptions' preferences and choose to opt-in or opt-out on any of them.
How can you set up your Consent Management Platform?
You may set up your own Consent Management Platform from scratch or using existing tools that help you manage this feature. Make sure that you respect all the compliance requirements in the process.
At first, if you do not have experience with GDPR rules, it is highly recommended to use existing tools to manage your customer’s consent. Existing tools will provide built-in mechanisms and will help you through the process of being GDPR compliant.
But if you want to have your own Consent Management Platform with custom Data Controllers, Data Processors, and Preference Centers, then you must contact an attorney specialized in GDPR compliance to audit your process to validate it end to end.
GDPR compliance checklist
If you are unsure if your system is 100% compliant you can use the GDPR’s compliance checklist from the link below. This checklist, though not official, provides information, up to date with many details, that can help you better understand what is needed in each of the steps.
As this checklist is not official, we again highly recommended that you contact an attorney specializing in GDPR compliance, who can apply the law to your specific context and requirements.
Azure AD Consent Framework
The Azure AD Consent Framework is built on OAuth 2.0, making it possible to access the users' resources after consent in many different types of client applications (phone, tablet, server, or web application). To use the Azure AD Consent Framework and collect information from others APIs on behalf of the user, it is mandatory that your application is registered in Azure AD App Registrations.
The Azure AD Consent workflow is described in the picture below, with the Microsoft Graph API being responsible for making the bridge between your App and the desired service.
From your Application in Azure App Registrations, navigate to API permissions and select the scopes that you would like to have consent from your users. In the picture below you can see that the API has the permission to read the user profile from Microsoft Graph.
The first time that your users' log into your application, they will be asked to give their consent according to the permissions set above. If the users grant their permission, then your application will access user data on their behalf.
After consent, now your App can collect the users’ data.
How can we help you?
At Stellium we can help you analyze your business environment and explore together how to be compliant when storing and processing user’s data in order to avoid unwanted fines.
Would you like to get in touch about GDPR Compliance? Go ahead and set up a free online appointment with us for a consultation call.