07 Nov 2017

As technology has advanced, and better algorithms have been developed, businesses (in particular, those which are sales-focussed) have become more sophisticated with profiling and making decisions about their customers. For example, if you run an e-commerce site, you might use profiling to deliver targeted advertisements to your customer base. On the other side of the coin, perhaps, you have applied online for insurance or a loan and received an almost instant decision as to whether you will be offered the policy or loan – that decision being made by the insurer’s/bank’s systems rather than their staff.

Profiling and automatic decision making (ADM) do offer considerable benefits but not without cost or the risk of harm: their use may, perhaps, perpetuate stereotypes. In an attempt to control and limit these activities, the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018, imposes restrictions on those that use profiling and/or ADM.

The EU body overseeing GDPR’s implementation has recently published guidance on the new provisions the GDPR will introduce to address these activities. Below, we highlight some of the key issues.

Profiling and ADM in a nutshell

Profiling covers any form of automated processing of personal data to evaluate aspects of an individual for example, to predict their economic situation, health, or behaviour.

ADM is the ability to make decisions by technological means, with solely ADM taking place without any human intervention.

ADM and profiling have differing scopes but they can overlap, although profiling can take place without ADM and vice-versa.

The Individual’s Rights

Under the GDPR, individuals must be informed of the existence and consequences of profiling – for example, if your business uses profiling, it must inform an individual when it obtains personal data about them.

Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal (or similarly significant) effects concerning the individual without any human intervention – a good example being automatic refusal of an online credit application.

This right does not apply if the automated decision is:

  • necessary to perform a contract with the individual;
  • based on the explicit consent of the individual; or
  • authorised by EU or UK law which also sets out suitable safeguards to the rights of the individual (e.g. to ensure the security of the services you provide to the individual).

Safeguards must include the right to obtain human intervention and to get an explanation of the decision as well as enabling the individual to express their views on, and challenge, the decision.

How you conduct profiling/ADM

Your processing of personal data for profiling and/or ADM must be in accordance with the data protection principles set out in the GDPR, for example:

  • to ensure fair and transparent processing you should use appropriate mathematical procedures and implement appropriate technological or organisational measures to enable inaccuracies to be corrected; and
  • you must also secure personal data in a way that is proportionate to the risk to the rights of the individual and in a manner which prevents discriminatory effects.

What you cannot do

You must not use automated decision making:

  • where the individual is a child; and
  • in relation to other types of sensitive personal data (such as ethnic origin, political opinions, etc) unless you have explicit consent from the individual or the processing is necessary for reasons of substantial public interest on the basis of UK or EU law.

Next Steps

Prior to 25 May 2018, you should:

  • conduct a data protection impact assessment, ideally before using ADM or profiling in relation to personal data;
  • review and amend any existing policies and procedures you have in place dealing with ADM or profiling so that they comply with the GDPR;
  • get GDPR-compliant policies and procedures drafted if you do not have any; and
  • ensure your staff are aware of your obligations in relation to ADM and profiling under the GDPR.

If you would like any further information or advice on automated decision making, profiling, or the GDPR generally, please contact:

Further reading

Destination: office?

Blog, News & PR
Emily Wood considers the results of our recent survey and the implications for the future of the post-pandemic workplace
Read more Read

Commercial lease renewals and pandemic clauses

Will commercial reality trump the law when leases are up for renewal? Property expert James Picknell takes a look
Read more Read

Permitted Development Rights and the revised NPPF: Article 4 directions

Blog, Legal Updates
A revised National Planning Policy Framework has just been published. Holly Stevenson focuses on the change to Article 4 Directions
Read more Read

Can commercial lessees now ‘relax’ given the extended Government moratorium on forfeiture for non payment of rent?

Legal Updates
Property Litigation Partner, Keith Pearlman, doesn't think so and explains why they could be in for a nasty shock from 1 October of this year
Read more Read
  • Brighton Office

    1 Jubilee Street


    East Sussex

    BN1 1GE

  • Gatwick Office

    Griffin House

    135 High Street


    West Sussex

    RH10 1DQ

  • Guildford Office

    Wonersh House

    The Guildway

    Old Portsmouth Road



    GU3 1LR

  • Horsham Office

    Ridgeland House

    15 Carfax


    West Sussex

    RH12 1DY

  • London Office

    6 New Street Square

    New Fetter Lane


    EC4A 3BF

  • Get in touch