This guide explains how partners can integrate and present a Consent Management Portal on their websites, ensuring compliance with the Consumer Data Right (CDR) requirements. This document provides you with a starting point for understanding and implementing our data de-identification process. You are free to use and adapt this information as needed to align with your use cases. Our team is here to assist and will be happy to review and approve any modifications you make. We encourage you to tailor the content to your specific needs and feel confident knowing that any changes you propose will be carefully evaluated by our experts. Should you have any questions or need further clarifications, please don't hesitate to reach out. Our team is always ready to collaborate and support you throughout this process.
Introduction to the Consumer Data Right (CDR)
The Consumer Data Right (CDR) regulates the collection and handling of CDR data in line with privacy safeguards and rules that:
Ensure your users data is managed securely.
Provide your users with control over how your data is shared and used.
Accredited Data Recipients (ADRs)
An Accredited Data Recipient (ADR) is an organization approved under the CDR framework to receive and manage consumer data securely. ADRs are required to adhere to strict privacy and security rules, ensuring that the consumer's data is used only with their consent. ADR and ADR rep/ (Partners) are expected to;
Transparently disclose how data is used.
Ensure secure storage and transfer of consumer data.
Implement privacy safeguards to protect user consent.
Key Benefits for Users
Choice and Control: Users decide what data to share, how it’s used, and who can access it.
Manage Consent: Users can view, modify, or revoke consents at any time.
Data Deletion Requests: Users can request data deletion or de-identification.
Data Usage under CDR
Data collected under the CDR framework can be used for:
Personalised Services: Tailoring recommendations to user activities.
Operational Purposes: Preventing fraud, detecting abuse, and generating analytical insights using de-identified data.
Communication: Sending updates and notifications aligned with user preferences.
Reps/Partners should transparently disclose the specific purposes for which you will use the data you collect from users and only request the minimum data necessary to fulfill those purposes.
Data Security Requirements
Data security is a core element of CDR compliance. All data must be managed securely through strict protocols, including:
Storage: Data must be securely stored in Australia only.
Encryption: Ensure encryption of data in transit and at rest.
Access Control: Restrict access to authorized personnel only.
Audits: Conduct regular audits to verify adherence to security practices.
Consent Management
To comply with CDR regulations, partners must provide users with flexible methods to manage their consents. These options ensure users have control over their data at all times.
Methods of Managing Consent
1. Using the Basiq Dashboard
Partners can revoke user consents on their behalf via the dashboard:
Log into the Basiq dashboard.
Navigate to the "Users" section.
Select the user whose consent needs to be revoked.
Add 'Confirm users identity before revoking consent'.
Click to revoke consent.
Alternatively, partners can generate a unique URL from the dashboard and share it with users, enabling them to revoke consent directly:
Generate a URL link.
Share the link with the user.
Users can review and manage their consents independently.
2. Using the action=manage Parameter (Preferred)
The action=manage parameter directs users to the Consent Management Portal (CMP), where they can manage and revoke their consents directly. Partners can:
Integrate the CMP view within their app or website.
Provide users with a link to the CMP for direct access.
3. Alternative Methods
Partners are encouraged to provide additional methods to users for managing their consents, such as:
Offering support via email for consent-related queries.
Providing a support phone line.
Creating a publicly accessible resource (e.g., webpage or PDF) explaining consent management policies.
Ensure your company policies align with the Consent Policy configured in the Basiq customizer. Refer to the official ACCC/CDR rules for further guidance.
Data Retention and De-identification
Data Deletion Process
The user has the right have the right to request data deletion at any time. Upon withdrawal of consent:
Data will be securely deleted or de-identified by the Partner.
Redundant data will be destroyed (except for specific use cases when you are required by law to retain data for a longer period).
Partners will ensure that the Third-party processors will securely erase any shared data.
De-identification Process
De-identification involves removing identifiable information while retaining anonymised data for operational purposes, such as analytics and fraud prevention. Steps include:
Removing user IDs from transactions.
Stripping timestamps and descriptions that reveal specific details.
Aggregating data to ensure anonymity.
De-identified data can be used for improving services, creating insights, and operational analysis. Users may also request deletion of de-identified data if it is no longer necessary.
Retention Policy
Partners must adhere to the following guidelines for managing user data:
Ensure user data is deleted promptly when it is no longer required, upon data sharing consent expiry or within 24 hours of receiving a consent revocation request.
Comply with retention toggle settings for automatic deletion, ensuring configurations align with privacy and security requirements.
Conclusion
This guide provides a foundation for integrating and managing a Consent Management Portal compliant with CDR regulations. By implementing the outlined methods, partners can ensure user data is handled securely, transparently, and in line with privacy laws. For additional guidance or assistance, contact our team.