Do we need data privacy consent from individuals to use real data in secondary systems?

In summary YES, data privacy consent is required from individuals to use real data in secondary systems.

A secondary system can be a system used for research purposes for example in Healthcare.  A secondary system can also be IT landscape related such as test, quality or even a business warehouse for analytics.

In a nutshell, the best way to eliminate your risk is to anonymize the data in secondary systems.  Anonymizing the data removes the need for data privacy consent and (with proof) removes the systems from GDPR compliance processing, while still providing the data for analysis or testing.  Click here to learn more about TDA, Natuvion’s automated way to anonymize data in your secondary systems.

Read on to learn more about "Consent".

GDPR enhances requirements for obtaining data subject consent

GDPR requires the data subject to signal agreement by “a statement or a clear affirmative action.” Under the GDPR, data privacy consent must be “freely given, specific, informed and unambiguous.” 

Recital 32 clarifies that an affirmative action signaling consent may include ticking a box on a website, “choosing technical settings for information society services,” or “another statement or conduct” that clearly indicates assent to the processing. “Silence, pre-ticked boxes or inactivity,” however, is presumed inadequate to confer consent.

  1. Article 7(3) of the GDPR gives data subjects the right to withdraw consent at any time and “it shall be as easy to withdraw consent as to give it.” Controllers must inform data subjects of the right to withdraw before consent is given. Once consent is withdrawn, data subjects have the right to have their personal data erased and no longer used for processing.
  2. Recital 43, the GDPR adds a presumption that consent is not freely given if there is “a clear imbalance between the data subject and the controller, in particular where the controller is a public authority.” Importantly, a controller may not make a service conditional upon consent, unless the processing is necessary for the service.
  3. The GDPR adds that consent must be specific to each data processing operation. To meet the specificity requirement under Article 7, a request for consent to data processing must be “clearly distinguishable” from any other matters in a written document, and it must be provided “in an intelligible and easily accessible form, using clear and plain language.”
  4. Note: The regulation does exempt controllers from obtaining data privacy consent for subsequent processing operations if the operations are “compatible.” Recital 50 states that compatibility is determined by looking at factors, including the link between the processing purposes, the reasonable expectations of the data subject, the nature and consequences of further processing, and the existence of appropriate safeguards for the data.  Under Article 5(1)(b), additional processing for archiving in the public interest (as defined by the member state), statistical purposes or scientific and historical research generally will be considered compatible, and, therefore, exempt from specific consent

What about processing for new purposes?

It is often the case that organizations will want to process data collected for one purpose for a new purpose that was not disclosed to the data subject at the time the data was first collected. This is potentially in conflict with the core principle of purpose limitation and to ensure that the rights of data subjects are protected, GDPR sets out a series of considerations that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

  1. any link between the original purpose and the new purpose;
  2. the context in which the data have been collected;
  3. the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible);
  4. the possible consequences of the new processing for the data subjects;
  5. the existence of appropriate safeguards, which  may include encryption or pseudonymization.  Take a look at Natuvions TDA tool that automates pseudonymization in your primary systems.

In summary to reduce risk around data privacy consent and use in secondary systems or for secondary purposes, the solution is simple, just anonymize your data in your secondary and analytics systems, and pseudonymize your data in your production or primary SAP systems.