How can data holders and accredited data recipients comply with their obligations under rule 9.3 to keep a video record of their process for seeking authorisations, consents or amendments?
A data holder must keep records, including in video form, of the processes it uses in seeking an authorisation and in seeking an amendment to an authorisation from a CDR consumer. A data holder is not required to keep a video of every authorisation or amendment process in which it engages for every individual consumer. Rather, a data holder must keep records of its current and historic approaches to seeking authorisations and amendments to authorisations from CDR consumers.
The videos are expected to demonstrate what the typical end-to-end flow of the authorisation process, and of the amendment to authorisation process, would be from the point of view of a CDR consumer. The videos should demonstrate that a data holder’s authorisation processes are compliant with theCDR Rules and the CX Standards. Data holders also should consider the CX Guidelines when creating these processes. Data holders may choose to keep and maintain additional records in the form of wireframes and screenshots of their processes if that would further assist with explaining their authorisation and amendment to authorisation processes.
Similarly, accredited data recipients must do the same for their processes in relation to seeking consent or an amendment to a consent. For example:
“FastSaver records its consent flows in video format, showing step-by-step what a consumer may consent to while using its app, as well as the format in which this information is presented to consumers. When FastSaver makes updates to its consent flows, it creates new records of all possible consent decisions and retains its previous consent flows for 6 years dating from the last time a consumer was able to consent using the previous consent flow. FastSaver is complying with the requirement to keep a video record of its consent process.”
If further clarification is required, we recommend that CDR participants seek advice from their internal policy team or legal advisor. It is the responsibility of CDR participants to determine how they will comply with the CDR Rules.