Decentralised identity enabled by the data control stack turns GDPR into a competitive advantage

  • David Mintjes
  • Digital identityArticleGDPRData SharingOpennessCustomer in Control

A new type of player in the digital identity ecosystem – the consent manager – is enabling customers and organisations to take more control over (identity) data. Relying parties should follow this development with great interest because there are significant benefits gained from joining a data control scheme.

Exponential growth in the amount of digital transactions and customer data – facilitated by the continued expansion of the internet, the sharing economy and the Internet of Things – brings huge commercial opportunities. In a world where ‘everything’s becoming a transaction’, relying parties realise that collecting this data and translating it into personalised offerings could immensely increase the potential value of their business. However, they are unable to collect and aggregate the appropriate attributes (i.e. data points) from such widely distributed information.

Simultaneously, customers are becoming aware that personal data is stored everywhere, and they expect to have more control over who accesses it. For this reason, regulators are planning to force relying parties to protect personal data in alignment with the new General Data Protection Regulation (GDPR). This will require significant investment on the part of relying parties. Joining a data control scheme can provide a solution which not only enables the relying party to comply with GDPR, but also provides wider access to more accurate customer attributes.

How do data control schemes and consent management services work?

Within a data control scheme, the consent manager connects decentralised data from multiple attribute providers with different relying parties. There are four steps as shown in Figure 1.

180319datacontrol12Figure 1: The consent manager, who sits in the centre of the data control scheme, enables the customer to be fully in control of his/her personal data

The consent manager begins by indexing the customer’s data from each attribute provider and provides the customer with insights into the available attributes. The customer is now able to modify which parties can access his/her personal data at any time. Consequently, the platform will only share data with relying parties which have explicit customer consent. If these relying parties have updated attributes available that are relevant for other scheme players, they can become attribute providers with new information.

Examples of consent management players include: Dappre (NL), MyDex, Digi.me (UK), Meeco (AU) and Verimi (DE). To be classified as a consent management service, organisations must offer 'consent sharing' as their key service. But the full range of potential services can include: 

  • Consent sharing: The service which enables customers to fully control which parties can read or receive all their (decentralised) attributes.
  • Attribute management: The service which enables customers to create, read, update and delete all (decentralised) attributes via one consolidated interface.
  • Attribute storage: The service which stores customers' attribute data. 

The combination of these services provides customers with centralised control over widely distributed decentralised attributes. In the market, we see consent management players choosing to offer a different service mix within the data control stack.

180319datacontrol2Figure 2: Landscape of selected consent management players based on functionalities offered, non-exhaustive. Source: INNOPAY analysis

Benefits for relying parties

There are three major benefits from joining the right data control scheme:

  1. By joining forces, relying parties gain wider access to attributes and can request a complete set of required attributes from multiple sources.
  2. Increased customer control over indexed, decentralised personal data ensures a higher attribute accuracy because each change at one attribute provider can trigger an update at other parties in the scheme (see step 4 in Figure 1).
  3. In some cases, the necessity for the relying party to store customer data in-house is removed because consent managers can enable insight into data-points without transferring or duplicating the data. GDPR obligations for the relying party can be complied with by using a specialised consent manager.[1]

Realise competitive advantage through cooperation

Consent managers are enabling customers to take more control over their personal (identity) data. Relying parties, including government, can realise significant benefits by joining a data control scheme and collaborating with like-minded players in the digital transactions ecosystem. In Germany, we already see large relying parties cooperating within the Verimi scheme (e.g. Allianz, Axel Springer, Daimler, Deutsche Bank). Relying parties are able to create competitive advantage through collaborating with partners as more and more value is extracted from decentralised personal data within the scheme. Competitors outside of the scheme cannot access big data unlocked through the scheme, therefore fragmentation of this new two-sided market looms. The scale of this advantage will depend upon whether or not you and your partners can maximise this opportunity.

Are you considering joining forces in a data control scheme? Get in touch. INNOPAY can help you choose the right data control scheme and strategic partnerships.



[1] See our previous article on how GDPR affects data storage.

〈  Back to overview