BACKGROUND What is Required for Lawful Processing of Personal Data?
There are six legal bases available for lawful processing of personal data1 under the GDPR for primary uses (for example, taking payment for a product online) and secondary uses (repurposing) of data (for example, subsequently sending a personalised newsletter to customers based on profiling for marketing purposes). The major differences between the processing of personal data under the prior EU Data Protection Directive and under the GDPR include:
- The fact that the risk and liability exposure from non-compliance under the GDPR is dramatically greater than under the EU Data Protection Directive;
- Post GDPR regulatory guidance and enforcement actions clarify that Consent and Contract are only available as legal bases to support lawful secondary use (repurposing) of data in very limited situations; and
- There are heightened requirements of transparency and responsibility for how personal data is processed from a legal, reputational and ethical perspective. Under the GDPR, both primary and secondary processing now require that the lawful bases for processing are well documented and that data subjects are “put on notice” of the applicable legal bases at the time of initial collection of personal data.
REPURPOSING DATA What are the Legal Bases for Repurposing Data?
The three legal bases most relevant for lawful secondary use (repurposing) of data are Consent, Contract and Legitimate Interests processing. Let’s look at these three legal bases and explore the advantages of Legitimate Interests processing over Consent and Contract.
Consent & Contract
At first glance, both Consent and Contract appear to be potential routes to repurposing data. However, GDPR requirements for specificity and the right to opt-out without a reduction in service are key factors that must be revisited for each secondary use (repurposing) of data. These requirements for Consent and Contract make satisfying the requirements for lawful repurposing using these bases often impracticable in today’s distributed and agile data ecosystem.
Given the low success rates of reconsenting customers and the numerous impractical revisions of contracts necessary to keep pace with intended data uses, one must question whether the management oversight required to do so in a lawful manner is attainable, especially given the additional privacy risk and liability exposure.
Besides, if the intention is to use personal data to train AI & ML algorithms, one will want to make available as much data as possible with which to conduct the training to avoid bias and discrimination in decision making.
Consent and Contract are both impracticable and result in a loss of valuable data that undermine innovation and opportunity from more significant data-driven insight.
REPURPOSING DATA What are the Benefits of Legitimate Interests Processing
Since Consent and Contract are challenging under the GDPR for ethical and lawful secondary uses (repurposing), how can Legitimate Interests help advance further processing of personal data?
First, it is not enough to assert that you have a Legitimate Purpose for the use of the results of processing. Article 29 Working Party Opinion 06/2014, 2 written in anticipation of the GDPR, makes it clear that the Purpose test is only the first of three tests, each of which must be satisfied to use Legitimate Interests processing as a valid legal basis. Legitimate Interests also requires that two additional tests are satisfied; the second being the “Necessity” test and the third being the “Balancing of Interests” test:
- Necessity is required to make sure that all possible considerations have been evaluated with respect to the need to use the data as intended. Are there alternative sources of data that are equally viable to achieve the same outcome?
- Balancing of Interests is required to make sure the identity of individuals is protected and that as a result of the intended processing or subsequent failures in that processing, that it doesn’t lead to a material risk of harm to the individuals concerned.
The benefits of processing personal data using compliant Legitimate Interests processing as a legal basis under the GDPR include:
- Under Article 17(1)(c), if a data controller shows they “have overriding legitimate grounds for processing” supported by technical and organizational measures to satisfy the balancing of interest test, they have greater flexibility in complying with Right to be Forgotten requests
- Under Article 18(1)(d), a data controller has flexibility in complying with claims to restrict the processing of personal data if they can show they have technical and organizational measures in place so that the rights of the data controller properly override those of the data subject because the rights of the data subjects are protected.
- Under Article 20(1), data controllers using Legitimate Interest processing are not subject to the right of portability, which applies only to consentbased processing.
- Under Article 21(1), a data controller using Legitimate Interest processing may be able to show they have adequate technical and organizational measures in place so that the rights of the data controller properly override those of the data subject because the rights of the data subjects are protected; however, data subjects always have the right under Article 21(3) to not receive direct marketing outreach as a result of such processing.
In summary, Consent and Contract no longer provide a sustainable lawful basis for most secondary processing (repurposing) of personal data. In addition, traditional approaches to anonymization cannot be relied upon to confidently place desired secondary processing (repurposing) of personal data outside of the scope of GDPR jurisdiction. As a result, without state of the art technical and organizational safeguards to enable GDPR compliant Legitimate Interests processing, many datasets in your organization are rendered inaccessible and unlawful for desired secondary processing (repurposing) purposes
However, use cases with major international organizations confirm that 100% of the accuracy of analytical value can be lawfully retained in datasets using Legitimate Intertest processing enabled by Anonos GDPR compliant technology for:
- Training AI and ML algorithms; and
- Sharing and combining protected datasets.
ANONOS BIGPRIVACY TECHNOLOGY Variant Twins Enable Legitimate Interests Processing
Anonos BigPrivacy uses state-of-the-art GDPR compliant Pseudonymisation-enabled Variant Twins® to create privacy respectful versions of both direct identifiers (e.g. passport number, credit card numbers) and indirect identifiers (e.g. date of birth, zip code, gender) to enable ethical and lawful secondary processing (repurposing) of personal data
Variant Twin data element level controls support compliant Pseudonymisation and Data Protection by Design and by Default to satisfy the Balancing of Interest test required for lawful Legitimate Interests processing under the GDPR. With Variant Twins, the degree of protection applied to the data is “baked” into the dataset in such a way that the benefits of combining ever-increasing sources of data remains, enabling correlations and discoveries to still be made and realised, but in a privacy respectful way.
Variant Twin technology makes it possible to generate Pseudonymous data using dynamism and to measure the risk of re-identification which mitigates the growing tension between data innovation and the requirements for ethical and lawful processing of personal data under increasingly stringent laws. Anonos leverages patented dynamism to transform direct and indirect identifiers, based on who is using the data and for what purposes while retaining and controlling the linkability of the data to re-identify data subjects for authorized uses only.
Anonos Variant Twin technology creates sustainable data assets that:
- Preserve the full utility of original source data
- Deliver the desired resistance to re-Identification of “anonymisation”
- For “locally anonymous” internal use
- For “universally anonymous” data sharing and combining
- Retain the ethical and lawful control over re-linkability of GDPR compliant Pseudonymised data
1 Article 6 of the GDPR sets forth the following six lawful bases for processing personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those interests.
Legitimate Interests processing enabled by Anonos Variant Twin® technology is the logical choice to advance Data Protection by Design and by Default and to accelerate your organization’s digital data journey.