The first article in this three-part series outlined the demands placed on mobile operators by the EU-wide General Data Protection Regulation (GDPR) and introduced the Exomi Mobile Identity solution (XMI). This second article goes into more detail to describe how the XMI can help operators comply with GDPR requirements quickly and easily. The introduction of secure tokens as anonymous handles for users reduces the need for services to access GDPR-controlled personal information. When such access is needed, secure tokens ensure that it is done in a GDPR-compliant way.
The use of secure tokens is at the heart of the XMI solution, replacing header enrichment and the uncontrolled use of MSISDNs. The use of tokens means that the XMI functions well with secure HTTPS connections, unlike earlier methods. When the user provides consent, the XMI generates a secure token and returns it to the content provider instead of the user’s MSISDN or other actual identifying data. This token gives the content provider access only to the specific information or resources that the user has authorized and only for the validity period defined for the token instead of allowing the content provider to access all available user information indefinitely.
The token itself is anonymous. With the use of tokens, service providers can bill users, send SMS messages, or use location data, for example, without even obtaining the user’s MSISDN or other personal data if the user doesn’t consent to sharing it. Tokens also isolate content providers from each other: a secure token representing user consent for one particular service cannot be shared and used by other services. All information and resource use can be traced to the original user consent for a specific content provider.
The XMI solution also simplifies the recycling of MSISDNs by automatically invalidating all associated secure tokens when the number is taken out of use. If the user wants to preserve all services when obtaining a new number, the MSISDN associated with the user’s secure tokens can simply be updated. Operators can easily provide new users with phone numbers that have previously been used by other users with no fear of getting user information mixed up.
Ensuring user consent with the XMI
The use of traditional header enrichment methods means that the operator automatically shares the user’s MSISDN with content providers or other third parties. This is not in accordance with the GDPR, which requires explicit user consent for any data sharing, as specified in Article 4:
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
With the XMI, the user’s MSISDN does not have to be shared openly with content providers or other third parties. When third-party services or websites require personal or identifying information from the user, the XMI solution deployed by the operator presents the user with consent options and validity information.
This means telling the user in a clear and simple way what personal data is required, what purposes this data will be used for, how long it will be stored and how it can be revoked.
Handling consent on behalf of children
According to the GDPR, minors under the age of 16 are defined as children. Some EU member states may legislate for a lower age limit, as long as it is not under 13 years. Children’s personal data may be processed only if consent is obtained from their parents or holders of parental responsibility.
In line with these requirements, the XMI enables delegating consent request alerts to parents’ mobile devices if third-party services are used by children. Children can seek parental consent immediately and parents can approve or reject the request as they see fit using their own device.
Viewing and revoking authorizations
The XMI provides a dashboard for users, showing which services are currently authorized to handle the user’s data, what kind of data these services handle and how long each authorization is valid. The same applies to service subscriptions that are charged to the user. Users can revoke their own authorizations or subscriptions directly from the dashboard, or this can be done by the operator’s customer service representative at the user’s request.
The XMI dashboard can be embedded into the operator’s portal using the operator’s own look and feel. The APIs are available for deeper integration.
The GDPR specifies that consent validity depends on context and requires periodic reviews to verify if the grounds for the consent have changed. The XMI enforces time limits for the validity of each consent or authorization and automatically requests renewal as needed. This applies to parental consent as well, as the GDPR states that parental consent expires automatically when the child reaches a specific age.
Do you need help or have questions? Please contact us:Contact Us