GDPR places significant compliance requirements on IS’s to ensure that the data provenance of PII and associated user decisions on consent are recorded, acted on appropriately, and audited correctly [ 15 ]. For organizations collecting and using personal data, the ability to organize, audit, and verify compliance with legislation are key requirements in business today [ 6 ]. This is not confined to GDPR in Europe. California was the first of a number of US states to legislate on the privacy of personal data [ 8 ].

Data privacy and protection is an integral part of organizational governance, and an essential part of organizations’ IS [ 3 ]. Provenance is a well-established and well understood concept which seeks to establish the origin, lineage, history, transactions on, and ownership of, an artefact. Data Provenance applies the concept in the digital data domain [ 39 ]. PII in GDPR, requires that individuals, ‘Data Subjects’, have the right to decide if their PII can be used in specific circumstances. This ‘consent’ can be ‘granted’, ‘withdrawn’, or in some cases required to be ‘forgotten’ [ 15 ], i.e. both the organization and the Data Subject should have the ability to see, and control, how PII is transacted, used or misused.

Organizations must manage the data provenance of PII, and a Data Subjects’ decisions on the use of their PII in their Information Systems. Both academic and nonacademic literature highlight the difficulties that private and public organizations are encountering in dealing with these GDPR requirements [ 5 ], including the significant absence of deployments in IS for CWM [ 33 ].

A wide variety of technical solutions which go some way to addressing the standards and the requirements of GDPR are proposed in the literature [ 32 ]. While these address different aspects of seeking and granting consent, technical solutions alone that do not also address business, environment or customer perspectives are unlikely to be adopted by organizations [ 1 ]. This requires a holistic approach, relying on a combination of technical implementation, user interaction, together with business and organizational management disciplines to enable usable, efficient consent provenance in their IS. 1.1

This research is intended to assist organizations in assessing the fitness for purpose of CWM in their IS by investigating the relationships between the technical, organizational, and environmental aspects of consent withdrawal. In addition, the research outcomes will provide an indicator to data subjects of an organizations’ IS capability to handle a data subjects consent withdrawal.

The development of a reference process model and a methodology for its use, will enable the evaluation of consent withdrawal in an organizations’ IS. These are proposed to be used by consent management practitioners and have the potential to allow the identification of corrections that could lead to improvement in CWM in IS. 2

GDPR [ 15 ] article 4(11) defines Consent as: “’consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”, with the specific conditions for consent laid out in article 7 of the GDPR. This requires a data controller to ‘demonstrate’ the receipt of consent from a data subject, and the right of a data subject to withdraw consent. It also provides that “It shall be as easy to withdraw as to give consent.” These articles of GDPR place requirements on organizations for the provenance of consent, including the granting of a consent and the withdrawal of that consent. 2.2

In general consent management research takes a technical IS approach to the problem and does not address the affect the relationships between the data stakeholders has on the overall consent management capability in the IS, particularly with regard to consent withdrawal. A number of approaches for consent management have been proposed including ISO/IEC standards [ 19 ], capability based approaches [ 21 ], and a number of blockchain (technical) solutions, i.e. [ 9 ]. 2.3

This research is agnostic to the philosophical view of privacy management in IS as technological or social determinism [ 30 ]. It is aligned with the view of Orlikowski, and Barley [ 27 ] on the role the relationship between IS and social science in achieving holistic IS. Two specific theories in IS research examining human – IS relationships relevant to this research are: • Design Science Research (DSR) [ 24 ], [ 16 ]; • the Technology-Organization-Environment framework (TOE) [ 14 ] Each of these has a bearing on consent withdrawal, particularly when viewed from the perspective of the Data Subject, in particular the Technology Acceptance Model (TAM) and its concept of Perceived Ease of Use (PEOU) “the degree to which a person believes that using a particular technology would be free from efforts” [ 12 ].

DSR [ 24 ], [ 16 ], focuses on the human – IS relationship through artefact creation and their application and evaluation in the IS environment. DSR has been frequently used as a methodology applied to address privacy in IS [ 26 ].

The cross-discipline characteristic of DSR makes it an appropriate approach for this research [ 13 ]. An adapted DSR methodology based on Design Science Process in Data Quality research [ 29 ] as applied to this project is shown in Fig. 1 and is used as the overall approach in conjunction with TOE frameworks as the theoretical lens.

The TOE Framework [ 14 ], is proposed as the theoretical lens [ 25 ], through which to view the Environment paradigm of the IS Research Framework [ 16 ]. TOE provides a lens for viewing and describing the relationships between these individual aspects of the problem, and the combined influence of these relationships on the decision making for improvements to CWM. In this project the TOE lens will be applied to specifically address the relationships between the: • Technology: Availability; and characteristics; • Organization: Formal and informal linking structures; Defined responsibility and authority; and Resources; • External Task Environment: Government Regulation; Customer/End User (ease of consent withdrawal under GDPR Article 7); • Innovation decision making: Usefulness in decision making to improve the ‘fitness for purpose’ of the organizations CWM. The lack of coordination and interaction between the business view, the technical view, and the customer view is a gap in the research in consent management that is highlighted in the types of calls for further IS research [ 36 ].

In many instances organizations can demonstrate the receipt of consent grant. However, these often lack the parallel capabilities demonstrating the full provenance of that consent [ 23 ] including their management of the withdrawal of consent and demonstrating that the ‘ease’ of the withdrawal matches the ease with which the consent was granted. These problems are summarised as follows: • The withdrawal of consent by data subjects and the provenance of their withdrawal is a specific challenge within the overall consent management in IS. • A methodology and reference process model is needed to indicate the 'fitness for purpose' of an organizations IS CWM that encompasses their business need, their technical capability and their customer relationships. • Full compliance with article 7 of the GDPR requires the inclusion of the perception of the ease of withdrawal by the data subject.

This is not a trivial problem. Technology to indicate compliance relies on input from domain experts in different organizational stakeholders, i.e. strategic management, legal counsel, customer relations & marketing, executive management, and shareholders, all of which impact on the organization and its business. However, the relationships between the organizational (business), the technological, and the environmental (legislative, & end user) perspectives & characteristics are not easily understood or obvious [ 22 ]. In this context a design science perspective approach is applicable [ 11 ]. 3.1

The design hypothesis to address the identified problem in consent withdrawal is: The ‘fitness for purpose’ of CWM in IS can be represented by a model of the relationships and interactions between a) Technology capability; b) Organizational commitment; and c) the ease of Data Subject consent withdrawal.

The following research question and sub questions are formulated to address the hypothesis and to achieve the research objectives described above: How can the relationships and interactions between technology, organization and data subject be modelled to indicate the ‘fitness for purpose’ of CWM?

The hypothesis will be tested through the examination of the three sub research questions outlined below. • (SRQ1) What are the characteristics of the relationships between the TOE actors in the consent management process? • (SRQ2) What are the commonalities between the technology, organization, and environment views that influence the innovation decision making for CWM? • (SRQ3) Can the developed process model and methodology be considered reliable to support the design, implementation and deployment of Consent Management features in Information Systems?

SRQ1 will identify and record consent management processes from several case studies. It will analyse these to establish the characteristics of, and the relationships between the TOE actors.

SRQ2 will analyse, compare and model the case study consent management processes and build a reference model for the key influencing factors between each TOE actor and an associated methodology for its use.

SRQ3 will evaluate with practitioners if the process model and methodology reliably indicate how changes in each dimension effect the others and the overall perception of the ‘fitness for purpose’ of CWM in IS. 3.2

The research will require access to organizations at both a technical and management level for data gathering on Organization and Technology in addition to independent responses and feedback from anonymous data subjects on the Environment thread. The organization type and size will have to be carefully selected to help reduce the number of independent variables. Research Ethics approval may be required.

• How to identify the relationships between each of the specific TOE perspectives for consent withdrawal. • How to develop the reference process model to show the relationships between the

TOE perspectives. • How to evaluate the TOE framework to indicate the ‘fitness for purpose’ of an organizations’ CWM.

• identify the relationships between each of the TOE actors for consent withdrawal. • develop a reference process model and associated methodology to indicate the ‘fitness for purpose’ of an organizations’ CWM. • demonstrate and evaluate the process model and the associated methodology in a real-world environment.

The outputs of this research will: • Identify the relationships between the underlying technology, organization and environment variables for CWM in IS. • Be reference process model and methodology artefacts that can be utilised by practitioners in designing, deploying or improving IS with respect to their ‘fitness for purpose’ with the consent withdrawal requirements of GDPR. • Include an evaluation of the process model and methodology with consent management practitioners.

The process model will indicate how the characteristics of each of the aspects of consent withdrawal relate to each other and to the ‘fitness for purpose’ of the system. The methodology will instruct the use of the model.

The Design Science Process in Data Quality research [ 29 ] is adapted in Fig. 1 and is used as the overarching research methodology. The reference process model and methodology will be artefacts as defined by Peffers et al [ 28 ]. Data gathered using the methodologies below will be used to design, develop, construct and evaluate the artefacts.

The process model will encompass and describe the components, characteristics and relationships observed from the case studies through the theoretical lens of the TOE framework [ 14 ] as adapted in Fig. 2.

The associated methodology will enable practitioners to use the model. A high level perspective of the research methodology each TOE element will use is outlined below.

Qualitative methodologies through interviews will be used to capture data. Interviews will be designed using quantitative and qualitative social research methods [ 7 ] to establish the characteristics, relationships and linkages of the CWM process in the organization by talking to the relevant practitioners.

Technology is not necessarily confined to ‘High Tech’ hardware and software employed in IS, but also encompasses documentation, processes, procedures and other ‘technologies’ as outlined by Baker [ 2 ]. Quantitative methodologies will be used to capture formal data relating to the hardware, software, documentation, processes, procedures or other ‘systems’ in place and being utilised or available to be utilised external to the organization for CWM. Analyses that indicate distance between the current technology deployment and the available state of the art imply a capacity for innovation in CWM.

The commitment of the organization to CWM can be linked to resources (both budget and people), roles with responsibility and authority, and cross unit, cross functional, or matrixed teams with organization wide mandate. Quantitative indicators such as a chief information officer (CIO), a dedicated data protection officer or department and other resources may be observed in the formal consent management process. However, the relationships between these and the wider organization, including the IS organization, and the organizations relationships with its external data subjects will be measured using qualitative methods.

Differences in the commitment to CWM between organizations of different size (SME v Large) or type (Public v Private) may be observed. This may be an opportunity to provide a comparative analysis between different size and types of organizations.

This research will address the ‘environment’ in the context of CWM under ‘Government Regulation’, specifically related to GDPR and its obligations on organizations operating in the EU and in particular the assertion laid out in article 7 that “It shall be as easy to withdraw as to give consent.”. This requires an engagement with data subjects independent of, and external to, the organization to ascertain their perception of the ease of the withdrawal of their consent.

The PEOU methodology, [ 12 ], will be used to gather data from data subjects on their experience and perception of consent withdrawal. Data Subjects will be employed, using Amazon Mechanical Turk, to interact with the participating organizations. Quantitative methods will be used to design research questionnaires and associated Likert scales to provide measurements [ 20 ], to establish the Data Subjects POEU of the organizations CWM process. 4.2

In keeping with the DSR Methodology, the problem was defined as an observed feature of current consent management and its interaction with end users of digital offerings. A systematic literature review established the current state of the art in privacy, consent, and consent withdrawal research using the methodology outlined by Webster and Watson [ 38 ]. The literature review showed a gap between the current research state of the art approaches to the problem and their implementation and adoption by organizations. 4.3

An artefact that can be evaluated as to its utility is required in DSR. Using the case study data, two DSR artefacts will be developed - a reference process model of the key influencing factors of CWM and an accompanying methodology to enable practitioners to use the model. Iterative conversations with practitioners will allow for the continuous refinement of the artefacts. 4.4

The artefacts will be demonstrated to participating organizations and evaluated by measuring their influence on decision making for innovations to the management of consent withdrawal in the organizations’ IS. The Perceived Usefulness (PU) methodology [ 12 ] will be applied to gather data from technology innovation gatekeepers on the usefulness of the ‘fitness for purpose’ artefacts [ 37 ], in assisting with innovation decisions on their CWM system.

As the results of the research emerge these will be communicated to the wider research community particularly those with interest in privacy, consent withdrawal and design science, through peer reviewed publications in conferences and journals. 5