Interview on Privacy & Consent Management (Ian Evans, Managing Director at OneTrust)

KC Analyst Anne Bailey interviews Ian Evans, Managing Director at OneTrust, about privacy and consent management.

Hi everyone. I'm Annie Bailey, an Analyst with co our coal. And today I'm doing an interview with Ian Evans of OneTrust. Ian, thank you so much for being here.
You're very welcome, Annie. Very welcome.
Great. Can you share for the audience what your role is at OneTrust?
Of course, yeah. I'm Ian Evans. I'm the managing director for OneTrust. I cover our Europe, middle east and African business and all aspects of our operations.
Fantastic. Then without further ado, let's jump into the interview. We're talking about privacy and consent management solutions, but this idea of consent collection can sometimes feel like you're putting privacy into a tiny box. So how does OneTrust go beyond simply consent collection to ensuring that the data is used appropriately? And that relationship is honored?
Of course, it's a, it's a hugely hot topic right now. And, and it's an area that we see regulators starting to figure out what they should be doing as well. You know, and each country that we talk to has a slightly different approach. So I think there's, there's really two there's. There's two perspectives that we have here. One is from a, a marketing business perspective. First of all, we need to figure out how to, how to capture consent so that we can use that consent data to market, to people. And we, we need to try and make sure that we can honor the data that's in that. So we need to figure out the granular level of consent that, that somebody has given us. So one of our customers, one of our prospects, a data subject, so we need to figure out on their distribution list or the products or the type of consent that they've given us.
We need to make it as easy as possible also for our customers and consumers, to be able to see their, their updates and their preferences. Now that's the one side of the business, you know, we need to continue marketing. We need to do a good job of making sure that people aren't off by essentially these big knows that pop onto screens. Secondly, then from a privacy perspective, we need to, to the model. And now that's, that kind becomes interesting. As regulators are starting to change their mind a little bit about how long consent is valid for in different types. So we need a programmatic model that allows us to know by geography, what type of consent model we would rely on, how do we, how do we gain the consent and how do we maintain consent? And that's our programmatic basis. And essentially making sure that we have these preference centers, which is more of a OneTrust terminology, but customers can go and state what their preferences are and we stick to what their preferences are. We maintain them. So that's, that's key the world of privacy.
Thank you for that answer. Then now pivoting a little bit to the different technological approaches to identifying cookies and other tracking technologies on a website, some choose to use a scanning feature, which identifies everything which is present and others choose to use the, a, the IAB framework, which uses a white list. One trust uses both. So can you share with me why both and how do they compliment each other?
Yeah, of course. So first of all, the IAB framework is, is really about the ad tech space and the ad tech space and whitelist, various different domains and providers and cookies that you can scan through, but it doesn't stop you having to scan for compliance because there are two sides. One is the ad tech relationship that you use in your organization. And, and, and the other side really is what else is in the webpage that you're landing on because there are gonna be various things in the webpage that you'll land on with tags and with embedded links and, and, and you have to be compliant from both sides. The challenge is another pretty hot topic because the, the, the regulator of Belgium has already said that the, the TCF framework isn't compliant to GDPR and that GDPR is a stronger requirement. And, and that's essentially why you would scan the website, look for compliance.
If, if you can scan your website, there are many people that can scan your website. So you gotta know that these technology are available to start reading pages and looking for embedded links, tags, video, clipped, with links in them, et cetera, for marketing. And, and really then this goes beyond where the sort of I framework and the TCF framework allows to get to, but there are other regulations such as the, the pecker PCR, you know, the requirements and the GDPR requirements, which will be much more stringent. So IAB is good because it's, it's a fairly well known list that we have to subscribe to. But I think it's only really half of the answer that we have to worry about. It certainly speeds up the way that the ad tech world works in terms of, you know, a framework that we can sign up to, but scanning does reduce a lot of the integration burden.
It reduces a lot of the manual checking of the websites. You've gotta think about third parties and integration to third parties and where your, where the journey of browsing works as well. So as I enter a website, that's compliant, but I click on a link that takes me to a different domain and how that transition works in the business. So, so really it's aware of your cookies and your links, how the website works and any other third parties that you work with as well. So this is, this is a tricky area to, to try to figure out without scanning a website. It's a lot of manual intervention.
Great. Thank you. You mentioned the statement that Belgium has made recently that the TCF framework is still subordinate to the GDPR. That leads me think that that customers who might be implementing a privacy and consent management solution would have a really difficult time keeping up to date with all of the different global privacy regulations that are out there. How can they do this?
Yeah, this is, this has been the, the area. I think that most organizations have struggled with. We can, you know, we can implement a programmatic solution to meet something, but then all of a sudden something changes and it can be as simple as the, you know, the time that consent is valid for whether that's two years or only six months in a web structure, but also in, just in general from the privacy requirements. You know, we saw that the GDPR took quite a while to get into force and then went into force in mid may. End of may, sorry, in 2018. But then since we've seen that, we've also seen the CPA act coming in, which also does change the way that maybe that do not sell obligations of a browser work. And, and your model we've seen now, south America, having new laws, we've seen the popier act raising itself in awareness.
We've seen the, the cavi KKA in Turkey changing the way that that works. And this is gonna be a constant really revision to regulation. I mean, regulation, hasn't stood still now for the last two to three years, and I don't foresee it standing still. So you really need something to keep you aware of, of the regulation, the changes what's being lobbied in parliament. And, and, and how do you get yourself ready for what we refer to as a day zero regulatory change. Now, the, the OneTrust platform does have regulatory guidance built in by our data guidance platform. And that research is all regulatory changes proposed around the world. And we feed that back into our platform. So you can subscribe to different regulatory changes and, and see any countries of interest. You can do table comparisons, but mainly it'll also work hand in hand with your privacy deployment to make sure that if anything changes it affects maybe the consent model that you're operating, or from a records of processing activity, the jurisdiction that you are using a center of processing, then it's really important that you proactively get notification.
And these can be six, nine and 12 months before a regulatory change goes through, but you've gotta be ready. And, you know, I, I, I hate to sort of bring up the, the Brexit challenge that we're all living through here in, in the UK, but it's a regulatory change and we know it's coming, but we don't have an adequacy ruling yet. And that means that we have to remain flexible on how we would adhere to what a Brexit change might be. And whilst we'll have time, that's just a great example right now of, you know, the GDPR, you know, ruling that we have from two years ago is now gonna be adapted for adequacy, and that will bring some changes to as well. So keeping current, making sure that you have a plan for the programmatic changes that you have in place, I think is absolutely key.
Great. Now I wanna pivot back to something which you said earlier in the interview mentioning granular consent, and this brings up the idea of attributes. So could you explain this concept a little bit more and how this plays a role with privacy solutions?
So, yeah, essentially when we, when we think about consent as, as individuals, we'll all want to receive different bits of news, we'll consent to, to, you know, various different types of cookies on our website. So we'll know that we'll need strictly necessary cookies, performance cookies, but maybe I don't want the targeted advertising. Although, you know, some would say that the internet would be a rather dull place without some advertising, cuz maybe I'm not gonna learn about things at the same time. So there's a balance that I think you need, but also there are different types of communication method pose. So how I'd like to see receive emails and offers and updates and to which channels do I want to receive those? So this essentially is managing my preference and storing the attributes of me as a, you know, as an individual in the organization. So, so you can see what type of consumer customer data subject I am and the best way of building that relationship, rather than just assuming that you've got one piece of consent from me and therefore I'll be happy to receive everything else.
So our preference centers treat everybody as an individual. We, we, we use an anonymous key that we can manage somebody's preferences by typically an email address and in, in the majority of cases or if you're a customer and then you may have a customer ID and then you can take that down to another fully anonymous level, but then really understanding what is it that I, Ian Evans wants to receive from your organization and preferences choose to mind, you know, I should be able to go and change those preferences at any point in time. So, so there's gotta be an easy way of getting back to that setting. So if I came to an organization and I clicked on their website, and then I could see that there was a preference center for my, my, my ID, my login, my, my email address, my customer ID to click on the link and take me into my preference choice center and say, here's what you're currently subscribed to.
And all the granular levels that you have, are there any updates you'd like, and maybe I don't want to receive a quarterly news updates or I do wanna see a new product launch line as well. And I think that's really key to making sure we start to personalize. This is a, this is more working the way that marketing wants to be working to maintain those preferences, but also building up on trust because the first place that we think about trust these days is how somebody behaves and the website is no different about how we behave. This is an endorsement of trust that we're looking for.
Yeah. It's really interesting to be able to find this alignment between the marketing goals and a compliance goal and, and see if there really is a synergy there and then to bring it out. Yeah, that's great.
Yes, no, I agree.
Yeah. Then I'd like to shift direction again and take a look at AI. I'm always really interested in, in this topic and, and love to hear about how this is being embedded in different types of tools, but also with, with responsibility, especially for something like model drift where a, a model can learn and change and adjust over time, but making sure it stays in line with, with its original intention.
Yeah, of course. I mean, there's, there's a number of different forms of AI. And I guess firstly, there's the robotic version of AI that will sit there and look at a set of parameters and look at the data sets that we get entered into them and we'll start to figure out, do we have data that meets that consent a great way of using AI because we'll start to look at patterns of individuals and whether we have gained the appropriate and whether we should try to maintain or address some deficits in the consent model that we have. Regulatory change is another way that we can look at using AI because essentially the way that we all got into GDPR was to do gap analysis. I guess everybody looked at where are we at in line with the directive? What does the GDPR require us to do?
There's a big gap in the middle of it, and we've gotta figure out how to be compliant to this regulation so we can use it to pinpoint and highlight areas of higher risk with a gap analysis, but also using AI to keep on continually learning from that perspective as well. Now, one of the ways that AI really can work is around the sort of the vendor and third party ecosystems as well, because essentially when GDPR told us we had to be, you know, more aware of all of our vendor and third party ecosystems in article 28, AI is a great way of figuring out that I'm doing things in my organization that may have an impact on some of my vendors and third parties. And therefore if I, if I have an impact on it, maybe I'm bringing on a new vendor and I sign up a new contract.
Is that in addition to, or is that the replacement of, and I could use analysis for my records of crossing activity to find an exact match of a vendor that sits in my ecosystem or a similar enough match and say, okay, we're obviously replacing a vendor. What are the obligations that we have under the data processing agreements? And should we alert the, the privacy team that there's a vendor that meets eight outta 10 criteria coming onto my ecosystem and therefore to be aware that we're gonna have a change, that's one of the areas that we can look at learning from. So AI, I think, you know, if we look at our data, we look at data governance in our businesses. We look at how we store attributes of individual data and using AI to essentially learn and find the gaps in what our programmatic privacy platform is doing. Then that's really key and how we trigger that as well. So I think AI in its own right set of rules really doesn't help us because we've written the rules. Therefore we knew the problem existed where AI really does benefit us is as it learns. And as it finds new matches and close fits to certain other patterns that we've seen in our business, that it alerts us with risk. And then we can figure out what we do with the risk platform.
Great. Then to wrap up our interview today, I'd love to know what's next for one trust and the platform
We have so much going on in our platform. I don't even know where to start. So if I, you know, if I think about our platform, you know, it started in, in privacy and now it's really everything. That's privacy, data governance, trust related issues, whether that's InfoSec style governance, risk controls, even down to ethical risk and the new whistleblower act that's coming through as well, because essentially it's, it's all a very similar topic. And then we ought to cover all of the marketing aspects as well with cookies and consent. If I try to keep it a little bit more on track with where we've been talking about for us, there's a huge area that still needs to be improved. I think we've had an over rotation in the marketing side of businesses to try to figure out compliant, led marketing. And now we really need to think about a market driven solution that's compliance require, you know, that has compliance built in.
So essentially these preference centers that most people still aren't running, most organizations have a list of their known marketed target, target marketing list, and they maintain consent against that. But there are so many different intricacies, so many different things that we should be thinking about about that person and understanding their preferences at a granular level so that we have a really relationship. And we don't go beyond the boundaries of that relationship as well, unless they allow us. And that's where the trust will come back into marketing. There's a huge change that's coming through, just browsing a website. Now you'll decide whether or not you trust the company based on their cookie banner. If a cookie banner pops up and it's allow all, don't allow all reject or, but you can carry on browsing, then you know that you're already looking at a, a banner that may not be compliant and it's allowing you to sort of skip past it.
So why is the rest of their, their privacy program? The marketing led privacy requirement actually in a trusted position. And I think this is where we'll start looking at making sure that we've got maybe, maybe a good way of thinking about it is we programmatically looked at the way of managing marketing without having human interactions in the loop. So what makes an amazing marketing campaign doesn't need to be any less than an amazing marketing campaign? I can think of many over the years, but they can still be compliant to a privacy program. We've just gotta figure out how we sign people up. How do we make people feel comfortable about what they're signing up to and maintain those preferences and, and make sure that we're proactive about what we do it, but I think that's, that's where we're faced on the marketing side. There are so many other pieces in our platform that I'd, you know, love to spend time talking through, but it's gonna be, you know, 20, 21 is gonna be a big year for how privacy changes in general. Just little things like a whistleblower act will change the way that our privacy problems are also impacted because they'll be, you know, things that we have to take care of in a compliant way. And that's one of many things that are on our agenda for 2021.
It's definitely a really dynamic space. And as you said, privacy is being redefined constantly and, and from a, a technological side, but also from a social side and, and what, what is really on people's hearts, you say it's a trust matter and, and yes, and really will continue to change over the next year. So thank you for bringing us up to date. And we also look forward to hearing how and where you're going in the future.
No, no problem at all. I'd love to keep you love to keep you updated as well. Thank you so much.
Yeah. Fantastic. So, Ian, thank you very much. And I look forward to talking again soon.
Thank you, Annie. Good to speak to you. Thank you. Bye bye-bye.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Better Business With Smooth and Secure Onboarding Processes

In the modern world of working, organizations need to digitally verify and secure identities at scale. But traditional IAM and CIAM strategies can’t identity-proof people in a meaningful way in the digital era. Finding an automated digital identity proofing system that is passwordless…

Webinar Recording

Advanced Authorization in a Web 3.0 World

Business and just about every other kind of interaction is moving online, with billions of people, connected devices, machines, and bots sharing data via the internet. Consequently, managing who and what has access to what in what context, is extremely challenging. Business success depends…

Analyst Chat

Analyst Chat #146: Do You Still Need a VPN?

Virtual Private Networks (VPNs) are increasingly being promoted as an essential security tool for end users. This is not about the traditional access to corporate resources from insecure environments, but rather about privacy and security protection, but also about concealing one's actual…

Analyst Chat

Analyst Chat #118: A first look at the new Trans-Atlantic Data Privacy Framework

On March 25th, 2022 the European Commission and the US government announced a new agreement governing the transfer of data between the EU and the US. Mike Small and Annie Bailey join Matthias to have a first look as analysts (not lawyers) at this potential milestone for data privacy…

Analyst Chat

Analyst Chat #115: From Third-Party Cookies to FLoC to Google Topics API

Online tracking is a highly visible privacy issue that a lot of people care about. Third-party cookies are most notorious for being used in cross-site tracking, retargeting, and ad-serving. Annie Bailey and Matthias sit down to discuss the most recently proposed approach called…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00