HALTING THE ONWARD MARCH OF THE MACHINES? PROFILING OF PERSONAL DATA – WHAT YOU NEED TO KNOW FOR THE GDPR

07 Nov 2017

As technology has advanced, and better algorithms have been developed, businesses (in particular, those which are sales-focussed) have become more sophisticated with profiling and making decisions about their customers. For example, if you run an e-commerce site, you might use profiling to deliver targeted advertisements to your customer base. On the other side of the coin, perhaps, you have applied online for insurance or a loan and received an almost instant decision as to whether you will be offered the policy or loan – that decision being made by the insurer’s/bank’s systems rather than their staff.

Profiling and automatic decision making (ADM) do offer considerable benefits but not without cost or the risk of harm: their use may, perhaps, perpetuate stereotypes. In an attempt to control and limit these activities, the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018, imposes restrictions on those that use profiling and/or ADM.

The EU body overseeing GDPR’s implementation has recently published guidance on the new provisions the GDPR will introduce to address these activities. Below, we highlight some of the key issues.

Profiling and ADM in a nutshell

Profiling covers any form of automated processing of personal data to evaluate aspects of an individual for example, to predict their economic situation, health, or behaviour.

ADM is the ability to make decisions by technological means, with solely ADM taking place without any human intervention.

ADM and profiling have differing scopes but they can overlap, although profiling can take place without ADM and vice-versa.

The Individual’s Rights

Under the GDPR, individuals must be informed of the existence and consequences of profiling – for example, if your business uses profiling, it must inform an individual when it obtains personal data about them.

Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal (or similarly significant) effects concerning the individual without any human intervention – a good example being automatic refusal of an online credit application.

This right does not apply if the automated decision is:

  • necessary to perform a contract with the individual;
  • based on the explicit consent of the individual; or
  • authorised by EU or UK law which also sets out suitable safeguards to the rights of the individual (e.g. to ensure the security of the services you provide to the individual).

Safeguards must include the right to obtain human intervention and to get an explanation of the decision as well as enabling the individual to express their views on, and challenge, the decision.

How you conduct profiling/ADM

Your processing of personal data for profiling and/or ADM must be in accordance with the data protection principles set out in the GDPR, for example:

  • to ensure fair and transparent processing you should use appropriate mathematical procedures and implement appropriate technological or organisational measures to enable inaccuracies to be corrected; and
  • you must also secure personal data in a way that is proportionate to the risk to the rights of the individual and in a manner which prevents discriminatory effects.

What you cannot do

You must not use automated decision making:

  • where the individual is a child; and
  • in relation to other types of sensitive personal data (such as ethnic origin, political opinions, etc) unless you have explicit consent from the individual or the processing is necessary for reasons of substantial public interest on the basis of UK or EU law.

Next Steps

Prior to 25 May 2018, you should:

  • conduct a data protection impact assessment, ideally before using ADM or profiling in relation to personal data;
  • review and amend any existing policies and procedures you have in place dealing with ADM or profiling so that they comply with the GDPR;
  • get GDPR-compliant policies and procedures drafted if you do not have any; and
  • ensure your staff are aware of your obligations in relation to ADM and profiling under the GDPR.

If you would like any further information or advice on automated decision making, profiling, or the GDPR generally, please contact:

Further reading

What’s the state of Employment Status?

Blog, News & PR
16/04/2021
Rebecca Thornley-Gibson highlights the challenges faced by businesses who struggle to determine employment status and the impact this has on innovative operating models
Read more Read

Employer's question: how to effectively deal with stress related sickness in lockdown

Blog
13/04/2021
There are a variety of contributing factors caused by the pandemic that have seen a rise in stress related claims at work, but how can employers deal with this more effectively?
Read more Read

Use of statutory demand to make company insolvent suspended until June

Blog, Legal Updates
08/04/2021
Cheraine Williams looks at more temporary Covid-driven measures that will protect businesses and tenants from possible legal action
Read more Read

New guidance issued for valuation of flats and investigating fire safety

Blog, Legal Updates
07/04/2021
Cheraine Williams looks a the current situation facing leaseholders looking to sell or re-finance their property; will new guidance provide clarity?
Read more Read
  • Brighton Office

    1 Jubilee Street

    Brighton

    East Sussex

    BN1 1GE

  • Gatwick Office

    Griffin House

    135 High Street

    Crawley

    West Sussex

    RH10 1DQ

  • Guildford Office

    Wonersh House

    The Guildway

    Old Portsmouth Road

    Guildford

    Surrey

    GU3 1LR

  • Horsham Office

    Ridgeland House

    15 Carfax

    Horsham

    West Sussex

    RH12 1DY

  • London Office

    6 New Street Square

    New Fetter Lane

    London

    EC4A 3BF

  • Get in touch