“GDPR (the EU’s General Data Protection Regulation) requires us to inform the beneficiaries about how their personal data will be used. How can your system prove that this was done?”
An interesting question to start my day and my answer that “no system can prove this was done” did not go over well. Systems can have boxes to check, buttons to click but this proves nothing. All this proves is that the user took an action to remove the annoying cookie or consent pop up on a website, which exists as legal cover not consent. Even more so in the humanitarian space where the ‘pop ups’ are on the device being operated by the aid worker not the refugee – so the screens are prompts and reminders for the aid worker to communicate a script to the refugee.
This is not ‘proof’ of consent or even that information has been shared with the other.
Proof is found outside the software or the ‘system’ unless you want the software to capture the voice recording of every interaction. The act of sharing the information is a human interaction. This can be ‘proven’ to be happening through random spot checks or by conducting interviews with a randomised sample of individuals after they have been registered or had their data captured.
So systems can capture boxes being ticked
But this doesn’t mean the beneficiaries have actually been informed. The letter of the law is easily followed, the spirit is a different matter. It’s often said that laws and policies are created looking backward, while life is lived moving forward. It’s time for us move beyond ticking boxes for legal compliance and starting operating in ways that shift how laws are created in the future.