Summary: Digital customer onboarding & GDPR
On Thursday October 19th, we hosted a breakfast seminar on GDPR. Our lead consultant, Henk Weidenfeld, talked about how to solve digital customer onboarding in light of the new EU-regulations, followed by a demonstration of our solution.
Henk explained how and why one should collect information and consent from clients during the onboarding process and answered questions like: Do we always need explicit consent? Or is it enough to just give the client «concise, transparent, intelligible and easily accessible» information about the data you are collecting and why? How do we address the problems related to data collection on third parties, such as co-applicants?
Consent does not equal a checkbox bonanza.
Four takeaways from Henk's presentation:
1. Explicit consent is not the only option
– Beside consent, there are several exemptions that legitimize data processing (cf. Art. 6 GDPR). From a business perspective, it is advisable to seek legitimation in legal obligations, legitimate interests, or contract agreements, since consent can be withdrawn by the data subject at any time.
Source: GDPR Article 6
2. Consent does not equal a checkbox bonanza
– GDPR differentiates between "unambiguous indications of wishes" (simple consent) and explicit consent, which is only needed for the processing of special data categories, such as biometry, information about religion, or sexual orientation. Simple consent can be collected in many ways, and this does not always have to involve checkboxes.
Sources: GDPR - Articles 4, 7 & 9
3. Increase compliance with dedicated applications
– Where processing is based on consent, it is paramount that the data subject is informed in due time and has the chance to object to processing. Isolating data collection in a dedicated application within the integration layer, makes it possible to get consent before the data is passed on to core systems.
Read more: GDPR - Article 14
4. Enable self-serviced corrections to save manual work
– All data subjects have the right to amend and rectify data that has been collected. This includes individuals who do not have a direct relationship with the data controller at the time of collection (e.g. co-applicants, beneficial owners, etc.). Isolating data collection inside a dedicated application makes it possible to establish self-service processes while ensuring data quality.
Read more: GDPR - Article 16
Henk also previewed a demo for a GDPR compliant onboarding form. Do you want to see the demo, have questions, or want help to become GDPR compliant? Get in touch!