Mobile operators and Data Protection
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in the last two decades. The business impact of such a regulation is inevitable. Under the GDPR, organizations must obtain clear and specific consent from natural persons for collecting, processing, holding or transferring any kind of personal data.
The main goals of this regulation are:
- To harmonize data privacy laws across Europe
- To protect EU citizens and give them back control of their own personal data, as a fundamental right
- To unify the way public and private organizations hold personal data
Mobile network operators (MNOs) and mobile virtual network operators (MVNOs) in Europe are affected by the GDPR in their relationship with their partner services, particularly when sharing the mobile number (MSISDN). The mobile number is personal data used as user identity as well as the key to communicating with the user or charging for services.
Data privacy regulations require operators to work with their partners to ensure that:
- Users are informed of how personal data is going to be handled
- Users provide consent
- Parents give consent on behalf of their children (under 16 years old)
- Consent is recorded
- Consent is updated regularly
- Users can see where they have given consent
- Users can revoke consent at any time
A major point of concern for mobile operators is that typically obtaining consent from users is left to the partner services and not controlled or enforced by the operator, who is the one actually releasing the information. According to the GDPR, the operator must ask for consent before releasing any identifying information like the MSISDN to any third party. This means that operators can no longer rely on their service providers or external partners for handling the consent requests. They must handle these requests themselves or stop sharing any user information.
At the same time, operators cannot monetize all the additional capabilities they have, such as location, billing of third-party services and number verification unless user consent can be easily obtained specifically for providing such sensitive information or opening access to APIs.
Exomi Mobile Identity for painless data protection compliance
Exomi solves the data protection headache for operators. The Exomi Mobile Identity (XMI) platform provides a comprehensive solution for acquiring the user’s consent and managing periodic renewal and validity of consent. Users can also view all authorizations that they have given and revoke them at any time, as required by the GDPR or other data protection regulations. For rapid pain relief, the XMI can be deployed with a private-cloud-ready virtualized solution and industry-standard, easily adopted APIs.
When a third party, such as a website or app, requires personal or identifying user information, the Mobile Identity solution presents the user with the options for consent as regulated by data protection policies. This technology stores the user consent information for a predefined validity period and returns a secure token to the content provider. Such token functions as the key to providing access only to information or resources that the user has authorized as long as this specific consent is valid. In the case of minors, consent requests can be delegated to parents to be authorized or denied immediately.
The APIs used by the XMI are based on commonly used standards, such as OAuth 2.0, and are easily adopted by content providers and other partner services.
In our next article, we explain how our solution can replace the MSISDN as the primary identity for the mobile subscriber to solve many pressing issues operators face today.
If you have any questions, please contact us:
Contact Us