To begin, could you remind us what the GDPR is?
Xavier Lefevre: The GDPR is a European regulation that came into force on May 25, 2018, focusing on the protection of personal data and its free movement within the European Union (EU). It establishes a set of rules and obligations for companies and public or private organisations, referred to as "data controllers," regarding their use of personal data.
Among these obligations, one key aspect is that any processing of personal data must rely on one of six legal bases, such as a contract, legal obligation, or the consent of the data subject. Our readers are familiar with this when they visit a website that requests their consent to use "cookies" or other trackers, for instance.
What challenges does GDPR compliance pose for companies?
XL: The answer depends on the size of the company. Large corporations are accustomed to the "exercise" of compliance and have the internal resources to set up Data Protection Officer (DPO) teams. For small and medium-sized enterprises (SMEs), compliance is more challenging to understand and implement.The top priority is to maintain a record of processing activities that lists the personal data, the purpose of processing, and retention periods. Companies must also implement "appropriate" security measures. Additionally, it is essential to raise awareness and train teams, particularly IT teams, which takes time and incurs costs.
Finally, certain aspects of GDPR compliance are even more complex because they require interaction with the data subject—this is the case with consent management. It is also more critical because it is visible externally. Consent is the visible "face" of compliance, the tip of the iceberg, showcasing a company’s adherence to GDPR requirements. Therefore, investing in this area is worthwhile.
Why is consent such a complex topic?
XL: The GDPR assumes that every company must be able to demonstrate its compliance. In other words, it is up to the data controller to document its compliance and transparently manage data.
When it comes to consent, the data controller must prove that user consent exists and meets the validity criteria imposed by GDPR. These five criteria states that consent must be: free, informed, unambiguous, specific, and—most importantly—revocable and modifiable as easily as it was given.
This last point is particularly difficult for companies to manage. Either they cannot provide proof of consent, or the proof they provide does not meet the required validity criteria. Many companies, including large corporations with skilled internal resources, have been fined for non-compliance. This shows that consent management is a complex issue best handled by specialists with expertise in this area.
Consent is the visible "face" of compliance, the tip of the iceberg, showcasing a company’s adherence to GDPR requirements
How does LuxTrust support its clients in this area?
XL: As a regulated entity under the eIDAS framework, we provide qualified trust services such as authentication and electronic signatures. LuxTrust also offers other important, non-qualified services, including GDPR consent management. Leveraging our experience and expertise in digital security, we are well-positioned to address this issue and provide the best solutions for our clients.
At the start of 2024, we integrated the Fair&Smart platform into the LuxTrust solution portfolio. This turnkey solution allows public and private organisations to collect, store, and query GDPR consents from prospects, clients, users, or members. Fair&Smart integrates seamlessly and quickly into existing IT systems and enables the creation and management of consent collection forms, accessible via a web or mobile application. In the event of an audit or dispute, the company can use Fair&Smart to provide proof of its compliance.
Do the needs and support differ between SMEs and large international groups?
XL: As I mentioned earlier, although large groups are mature in consent management and have greater human and financial resources, they still face challenges in managing consents in full compliance. We are happy to assist them in this area. However, this issue is even more challenging for SMEs. That’s why we are preparing a dedicated offering for these companies, with administrative features tailored to their size. This simplified version will allow them to manage common processes, such as marketing operations like sending newsletters, in a straightforward and relevant way.
What future perspectives do you foresee for digital consent? How does LuxTrust plan to respond?
XL: Today, 80% of consent requests are related to marketing, advertising, or commercial prospecting use cases. Tomorrow, one of the key purposes of consent will be the sharing of personal data between third parties, i.e., between multiple organisations acting as separate data controllers. The only legal basis for such sharing is the explicit consent of the data subject. Consent will thus become central to value creation, as it is the cornerstone of personal data exchanges between companies or between public and private organisations. This presents a significant challenge, and many of the developments in the Fair&Smart platform today revolve around the notion of consented personal data sharing.
For more information, visit