Building a Consent Management Platform for Compliance and Protection of PII Data

Srijan built a diverse and scalable consent management platform for a leading telecom giant in Asia to ensure data privacy

 

 
 
 
telecom-1

Our client is a major telecommunication services provider in Asia, which creates an expansive range of incredible experiences for people that enables them to choose, overcome challenges, and discover new ways to enjoy life.

Highlights:

  • A multi-pronged, scalable solution to enforce and record subscriber consent before sharing any data related to the subscribers
  • Subscriber consent portal UI for ease of consent management and a uniform experience for subscribers
  • Build a platform capable of dealing with traffic > 2K TPS

With data privacy laws being ubiquitous across nations, having a consent management platform becomes indispensable for organizations that hold and share private user data. The laws aim to strengthen the privacy of Personally Identifiable Information (PII) and give the user the power to manage its shareability.

Requirements

Our client needed an API Platform to comply with the following:

  • Allow the subscribers to decide on their willingness to give consent to share or deny access to their PII data.
  • Let the subscribers revoke their prior consent at any point of time.
  • Ensure that no subscriber data is shared with a developer or partner without explicit consent from the subscriber.
  • Allow partners to manage the consents where there are legal provisions to do so
  • Ensure that the consent management platform is highly scalable and can handle a high traffic volume

Challenge

The existing legacy consent management platform had limited abilities, it:

  • Could not cater to the bespoke needs of the business
  • Was also not able to handle the current and projected traffic needs

Solution

Srijan helped the client categorize the needs of the platform into 4 major buckets: 

  1. Every time Consent - Involves fresh consent submission for every transaction by subscribers. Example: using the subscriber’s subscription balance to pay for apps and services.
  2. Expiring Consent - Consent expiring after a stipulated amount of time. Example: sharing the customer’s location or balance 
  3. Non-Expiring Consent - Never expiring consent. Example: Apps access to frequently used data
  4. Bypass Consent - Subscriber consent is managed by trusted partners entirely. Example: Providing access to Law Enforcement agencies and other Fintech partners.

Overall Approach

  • The microservice platform was built using nodeJS, which was then containerized and deployed on AWS for scalability. 
  • Implemented Apigee Gateway to ensure scalability, extensibility, and customization of APIs.
    Enabled the subscribers to manage their data through the consent management portal to ensure data transparency.

Here is an overview diagram of our approach:

Diagram for PII Data Security Platform

Tech Stack

Node JS, Apigee, Kubernetes, AWS

Business benefit

  • Ensures Data Sharing Transparency for its users, a much-needed aspect of business
  • Improved API responsiveness with higher throughput
  • Ensures legal compliance and minimizes legal risks 
  • Boosts brand trust and value among customers
  • Caters to varied subscriber management requirements
  • Enhances user experience with a subscriber portal

Let’s start our conversation