GDPR’s Right To Restrict /Object To Processing: Paper vs Digital Consent

Salman Kasbati
Written By
Salman Kasbati
December 4, 2017

Taking physician consent has been there for a while under the EU transparency disclosure requirements. With the GDPR coming into effect soon, the need to acquire consent has now become more intense and with a much broader scope. Now, the scope applies to:

  1. Employees
  2. Patients
  3. HCPs and others

For not just transparency disclosure reporting, but also:

  • Clinical trials data
  • ERP and CRM data
  • Expense reporting and financial data
  • HRMS and other kinds of data

Lawfulness of processing according to Article 6(1) will be considered true if (unless there are exceptions):

the data subject has given consent to the processing of his or her personal data for one or more specific purposes; 

The right to restriction of processing, as per Article 18 includes:

Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. 

And finally, the right to object, as per Article 21 includes:

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. 

All of this requires preparation in a way that the coverage across different data subjects and across different types of data and systems is a must. The consent needs to be:

  • Freely given; cannot withhold service
  • Informed
  • Specific to each processing operation
  • Unambiguous. Clear statement or affirmative action
  • Just as easy to withdraw as to give

Many life sciences organisations are right now managing consent through paper-based manual process. With GDPR coming into effect, retaining to manual process raises the risk-of-penalties bar pretty high. It is very risky and not advisable anymore, especially for larger organisations (where 4% of annual global turnover > 20 mil euros), to manage all those affiliates and entities in all those countries and languages through manual processes. With increased activity around consent (provide, revoke, etc.), paper based process is bound to become cumbersome and eventually unmanageable.

There is surely a need of a technology that:

  1. Does not introduce a pain in itself to replace the manual process. In other words, it should be an easy transition. Provides co-existence with the existing processes
  2. Does 60-70% of the work through built-in preset capability so that it provides instant value and then has a customisable framework available
  3. Is flexible to the needs of all the countries, languages, cultures and also adjustable to customised requirements. Especially for larger organisation, it cannot be a one-size-fits-all solution
  4. Provides instant control, publishing and revocation facilities with centralisation and decentralisation capabilities. Has the flexibility to customize business rules e.g. general consent, consent until a particular period
  5. Allows cherry-picking on certain purposes for consent and ability to define and manage legitimate purposes
  6. Is flexible enough to cater to the needs and challenges of different types of data subject personalities. This will be a crucial feature to make the implementation successful

Technology has always been a driver of change in many organisations, for better most of the time. It has always helped many individuals within an organisation by making the processes efficient, effective and less error prone. I believe automating consent management under the GDPR would be a huge advantage for organisations who want to stay far from the huge penalty risks.

Salman Kasbati

About the Author

Muhammad Salman Kasbati is the COO at qordata. Before he joined qordata, he was the Director - Software & Consulting Services, and then Partner at Streebo. With a background in software development spanning over 16 years, his projects have served clients in energy, banking and the life sciences industry. He has led software projects at LMKR, CresSoft, and Avanza Solutions.