Consent is now a fundamental part of data gathering and storage. Regulations such as GDPR, CCPA, POPI, and PIPEDA give people more control over what personal data they share, but can create restrictions for organisations obtaining and accessing this information.
Complications can arise in this process, especially in healthcare. Due to interactions across numerous touchpoints, the same individual can have different profiles across multiple systems. These different profiles may lead to difficulties in determining the identity of a patient and accessing their medical data. Further obstacles can occur when consent is delegated to a carer or guardian, and is not directly given by the patient.
Yet despite the challenges, it is still possible to build a unified data profile of an individual with their full permission.
Cassie is a consent and preference management platform that manages over 1.2 billion customer records for large organisations handling high-volume, complex data around the world. It allows businesses to manage consent centrally and comply with global data privacy regulations. We spoke to Cassie CEO Glenn Jackson to learn more.
How would you best explain the importance of consent for data?
Glenn Jackson: Data is the most important digital asset that’s out there at the moment. And because of global regulation, the consent to use personal information is critical in most of the developed world. That is because information about me is valuable. And therefore, it should be up to me whether I share that data with an organisation. It’s up to me, as an individual, to give consent to an organisation, which can then use it as I have chosen.
But that consent also builds trust with the brand as well. So, if I give an organisation consent to use my data, that’s fine. If I don’t, then they shouldn’t be using it. It’s vital that the trust in the use of my data is managed properly.
Why is consent particularly important in healthcare?
GJ: If you think about the importance of data, there are degrees of information that you share with people. One example might be, I’m going to track you on a website. Another thing is where I’m going to share my personal private health information with you. That is personal to me, and I do not want you to share that.
Healthcare has always been highly regulated. That is because of the type of data that healthcare organisations are storing, and therefore making sure that’s super secure and not shared without my consent is key.
We know that online scamming happens and has increased during the pandemic. That has scared people, because parties are suggesting that they know information about them.
In the healthcare context, it is really important that you know that your data is safe and is not being made available more broadly. So, it’s the importance of the data that healthcare organisations are holding and therefore the consent to use that data that needs to be rock solid.
And in healthcare, is consent only important in relation to medical treatment?
GJ: No. Consent is for every piece of data that will ever be collected and stored. Certain pieces of data are more important because it is about an individual’s health, compared with the ability to track people’s online activities. So, it’s all important, it’s all covered by regulations. But some things carry more weight than others.
What are some of the issues with hierarchies of consent?
GJ: As soon as you get into healthcare, you’ve got to look at the patients you’re dealing with. Plus, I could be dealing with a minor, my son or daughter might be young, they might need me to give their consent. It might be that you’re disabled, and you have a carer. There are lots of relationships between individuals where consent might need to be granted on behalf of another person.
It then becomes quite complicated about how consents can be identified. And then there may also be occasions when consent needs to be withdrawn or removed.
A carer might not be with their patient, or a dependent might live away from them. And therefore, we’ve got to find a way of being able to identify that delegated consent across a digital platform. So, it’s more complicated in healthcare than it would be maybe in retail or other organisations.
If I give consent for somebody to receive information about my treatments, they might draw conclusions from that. So, it’s really important that I can control that. And security is essential, particularly because there might be at least a three-way relationship now.
What are some of the challenges with regulations and their impact on the use of personal data?
GJ: If you think about all the touchpoints where we give up data. The Healthcare environment tends to consist of larger organisations. They may have interactions between a patient, a healthcare provider, a pharmaceutical company and a healthcare organisation. There are so many interactions there that are going on all over the place. It’s important to make sure that consent is shared across all of that data. And that these consents are easily identifiable and up to date so that they comply with all the necessary regulations.
So, consent to use that personal data is collected from all those different touchpoints. It’s stored, and all the organisations involved need to make sure that they understand the consent that the individual data subject has given.
Because to comply with regulations, it’s important to provide an audit trail to show that all the different departments within an organisation are complying with the requests of the data subject.
Regulation is not there to inhibit business, it’s there to essentially protect the data subject from misuse of their personal data. But the bigger the organisation, the harder it gets to do that. Because there are so many different touchpoints that you’ve got to interact with. That’s why it’s so essential to be able to see a single version of the truth in relation to a data subject’s consent.
How can Cassie help with all of this?
GJ: What Cassie actually does is in three main components. We allow data to be collected from all touchpoints. That might be a website, a mobile app, it might be within your existing applications where you’re collecting all this information. And all of that comes into one central auditable, single source of the truth.
“It’s so essential to be able to see a single version of the truth in relation to a data subject’s consent.”
And that’s really important. Because a big organisation might have four or five different systems, and the same individual might appear in any or all four or five different systems. We’re matching it so that we know that an individual that comes in via an app can be identified as the same individual that might login to a website, or fill a form out or whatever it might be. We’re matching that all together.
Secondly, I’ve got to be able to audit where all that data is coming from. Who’s changed it? Why have they changed it? Who, what, why, when and where, all of that information about the auditability of that data. And then the systems that need to use that data need to have access to it, so they can use it compliantly.
Then we push that data downstream to all of the other solutions that can use it, whether that’s the big CRM platforms like Veeva in healthcare, Salesforce, or Marketing Cloud, or all of those big platforms that are consuming that data. Cassie does that in near real-time.
How does Cassie ensure consent and compliance with data regulations?
GJ: Typically, Cassie tends to work with clients who’ve got large numbers of data subjects – that could be a customer, patient or employee, it can be anything that one can attach consent to.
Cassie sits in the cloud. The way I think of it is, it’s got several listeners – that’s API handlers that clients can communicate with or Cassie provides embedded code that clients can drop onto a website or digital form. These are all methods of collecting data from wherever our client wants. So, we can collect lots of compliant data once the data subject has given consent to that data we’re collecting. Then Cassie holds this in a centralised cloud database.
Remember, compliance is about where I reside. If I reside in the European Union, I’m covered by GDPR. If I reside in South Africa I’m covered by POPI. If I reside in California, I’m under CCPA. Collection and storage of data needs to be specific to the region I live in. And then the rules on how you use data needs to be specific to the region that I live in.
We give healthcare organisations the confidence that the data they’re using is compliant because Cassie is in the middle of their digital estate. Cassie enables our clients to say: ‘This data is compliant, we have consent for this.’ And that gives the client confidence to use it.