As technology has advanced, and better algorithms have been developed, businesses (in particular, those which are sales-focussed) have become more sophisticated with profiling and making decisions about their customers. For example, if you run an e-commerce site, you might use profiling to deliver targeted advertisements to your customer base. On the other side of the coin, perhaps, you have applied online for insurance or a loan and received an almost instant decision as to whether you will be offered the policy or loan – that decision being made by the insurer’s/bank’s systems rather than their staff.
Profiling and automatic decision making (ADM) do offer considerable benefits but not without cost or the risk of harm: their use may, perhaps, perpetuate stereotypes. In an attempt to control and limit these activities, the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018, imposes restrictions on those that use profiling and/or ADM.
The EU body overseeing GDPR’s implementation has recently published guidance on the new provisions the GDPR will introduce to address these activities. Below, we highlight some of the key issues.
Profiling and ADM in a nutshell
Profiling covers any form of automated processing of personal data to evaluate aspects of an individual for example, to predict their economic situation, health, or behaviour.
ADM is the ability to make decisions by technological means, with solely ADM taking place without any human intervention.
ADM and profiling have differing scopes but they can overlap, although profiling can take place without ADM and vice-versa.
The Individual’s Rights
Under the GDPR, individuals must be informed of the existence and consequences of profiling – for example, if your business uses profiling, it must inform an individual when it obtains personal data about them.
Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal (or similarly significant) effects concerning the individual without any human intervention – a good example being automatic refusal of an online credit application.
This right does not apply if the automated decision is:
- necessary to perform a contract with the individual;
- based on the explicit consent of the individual; or
- authorised by EU or UK law which also sets out suitable safeguards to the rights of the individual (e.g. to ensure the security of the services you provide to the individual).
Safeguards must include the right to obtain human intervention and to get an explanation of the decision as well as enabling the individual to express their views on, and challenge, the decision.
How you conduct profiling/ADM
Your processing of personal data for profiling and/or ADM must be in accordance with the data protection principles set out in the GDPR, for example:
- to ensure fair and transparent processing you should use appropriate mathematical procedures and implement appropriate technological or organisational measures to enable inaccuracies to be corrected; and
- you must also secure personal data in a way that is proportionate to the risk to the rights of the individual and in a manner which prevents discriminatory effects.
What you cannot do
You must not use automated decision making:
- where the individual is a child; and
- in relation to other types of sensitive personal data (such as ethnic origin, political opinions, etc) unless you have explicit consent from the individual or the processing is necessary for reasons of substantial public interest on the basis of UK or EU law.
Prior to 25 May 2018, you should:
- conduct a data protection impact assessment, ideally before using ADM or profiling in relation to personal data;
- review and amend any existing policies and procedures you have in place dealing with ADM or profiling so that they comply with the GDPR;
- get GDPR-compliant policies and procedures drafted if you do not have any; and
- ensure your staff are aware of your obligations in relation to ADM and profiling under the GDPR.
If you would like any further information or advice on automated decision making, profiling, or the GDPR generally, please contact: