Saving GDPR consents

[Frank Vèssia]

Hello guys,
I was researching more info about gdpr and how to store the consents and I found this article:

https://law.stackexchange.com/questions/29190/gdpr-where-to-store-users-consent

it says that you have to store all info about the consent users gave such as the exact time, how they gave consent and save a copy of the privacy policy file etc... but at the end there is this:

How to verify this data has not been modified?

You could store a hash of the row on some form of blockchain, to prove that after the stated date the consent had not been modified, this would prevent having to store a copy of the user's ID on the blockchain. It would not prevent forging consent at the time you claim it was given, but short of having the user digitally sign the transaction with some key that you do not have access to, there would be no way to prevent this.

Blockchain? I don't really know how to implement this, I guess there should be an easier solution, how did you solve this issue?
Thanks

[wbmnfktr]

What exact consent do you want to save/document/store?

1. Cookie banner?
2. Newsletter signup/opt-in/double-opt-in?
3. Marketing / Re-Targeting opt-in?

I'm not a lawyer by any means so I don't want you to follow my approach but this is the way I do it and my legal advisors don't scream in total panic when I tell them about it.

1. Cookie banner
   Client side cookie (simple true/false)
   if true: cookies were set and the banner doesn't pop up again
   if false: no cookies at all (besides session cookies) cookie banner pops up every time
2. Newsletter
   most of the time I use Mailchimp as I have a GDPR/DPA contract with them to handle everything - they store and document all opt-ins and opt-outs and are responsible for it. Users have to tick up to two checkboxes in order to signup for the newsletter - the first a common privacy checkbox, the second is a detailed explanation that the newsletter is handled by a third party. I will receive a sign-up notification via email I can archive, print or whatever. Related database entries will be deleted a few days later. Mailchimp uses double-opt-in in all cases and documents these. Unconfirmed signups will be deleted once a week.
3. Marketing / Re-Targeting
   I stopped using it as my marketing budget isn't that high to pay even more lawyers. ? 

[szabesz]

On 9/9/2019 at 11:51 AM, Sevarf2 said:

Blockchain? I don't really know how to implement this, I guess there should be an easier solution, how did you solve this issue?

I'm no expert either but there seems to be a consensus that GDPR does not require a one-fits-all approach for everything but quite the contrary. For example on a simple PW site where cookies are only used for their default purposes by the system and only editors and superusers login, I usually just state some "required for security purposes" blah-blah on the Imprint page linked form the footer or even form the main menu, and that is all there is to it.

What you should do depends on lots of factors, including the local law. That's the "beauty" of regulations like this...

[Frank Vèssia]

My website stores user's info after they join such as username, password, email, IP and I added also a checkbox for the "privacy accepted" status and another one with the info about the version of the privacy policy at that time but from what I read storing these data in the database is not enough.

[LostKobrakai]

On 9/9/2019 at 11:51 AM, Sevarf2 said:

How to verify this data has not been modified?

If you have proper auditing tools in place then any modifications should be recorded. The other part is authentication/authorization. If you can verify that nobody can modify a certain record you're fine. Those things get tricky though for the people, who are responsible for setting up those systems, because they often also have the ability to circumvent them. That's the place where you want to keep access very restricted to a small set of people, still enable logs where possible and start using policies, which "tell" those people what they're allowed to do and what they're not allowed to do. As soon as you cannot (tech.) prove something wasn't modified you should at least be able to prove that you had other measures, which disallowed modification and to know exactly who had the ability to change things in a non-trackable fashion. There's no fool prove way to this, unless you give up control completely to a third party, and there are always going to be parts in your setup, which are best effort instead of watertight. From my understanding a good part of an evaluation by authorities will include not just technical checks, but also softer targets like proper training for personnel, written evaluations and documentation.