The advent of high-volume data analytics technologies, AI, and machine learning has led to a booming data analytics industry. In addition, the general availability of large amounts of personal data on the internet and on “Internet of Things” devices has created the ability for firms operating in nearly all sectors, including advertising, banking, and insurance, to create profiles about individuals; profiles which can then be used to make automated decisions about those individuals.

Definition of Profiling

Profiling, in non-legal jargon, is defined in the UK and EU GDPR (“GDPR”) as the automated processing of personal data to evaluate the “personal aspects” of an individual, in particular, to analyse or make a prediction about that individual.

The reference to “automated” processing, as opposed to “solely” automated processing in this description, means that the GDPR definition of profiling will also include decisions based on profiling where human intervention is involved. It’s also worth noting that the activity of simply assessing or classifying an individual in, for instance, a CRM database based on their age and sex would also qualify as profiling even if no intention exists to predict that individual’s behaviour.

The problem is that whilst profiling can deliver commercial and societal benefits (think of personalised services or personalised medicines and healthcare), automated decision making can create very real risks to the rights and freedoms of individuals, whose classification following an automated decision could prevent them from accessing credit or securing employment.

Prohibition

For this reason, the GDPR prohibits data controllers from making decisions based solely on automated decision-making, including profiling, except where the decision is made: (a) for the purposes of performing or entering into a contract, (ii) subject to UK domestic law or, in the case of the EU GDPR, member state law or (iii) with the individual’s explicit consent.

It is important to note also that solely automated decision-making may or may not include profiling. A frequently cited example of a type of automated decision-making process that does not involve profiling is the imposition of speeding fines based on the evidence from speeding cameras. The decision to issue the fine is made without considering other factors such as a pre-compiled profile of the driver’s driving habits.

GDPR Compliant Profiling

If you are an organisation engaged in profiling, whether it is conducted solely or not by automated means, you must conduct profiling according to the GDPR’s principles and the data subjects’ access rights. As an example, the principle that data should be processed in a “lawful, fair and transparent” manner is backed up by several specific information provision obligations in the GDPR, which in the context of automated decision-making, including profiling, requires controllers to provide data subjects with the following information:

  • the existence of automated decision-making;
  • meaningful information about the logic involved (e.g. that a credit check by a mortgage company will involve an evaluation of the applicant’s “score”); and
  • the significance and envisaged consequences of such processing for the data subject

The provision of the above information is particularly critical where the data controller relies on the data subject’s explicit consent as the lawful basis for automated decision-making. This is because a failure to provide the above information could invalidate the individual’s consent on the basis that such consent was not “informed” as is required under the GDPR.

Data Protection Impact Assessment

In the case of point 3the completion of a Data Protection Impact Assessment (“DPIA”) will assist the controller in identifying when a serious risk to the rights and freedoms of data subjects is likely to arise as a result of the automated decision-making process. In addition, a DPIA is an important tool for demonstrating compliance with the newly introduced GDPR principles of accountability and transparency. So it is always prudent to conduct and continue to conduct DPIAs against any process or set of processes that involve solely automated decisions or decisions based on profiling that are not solely automated.

In summary:

  • Decision-making can be either: solely automated (“the computer says no”) or based on profiling that is not solely automated (“human makes the decision”).
  • The GDPR, subject to certain exceptions, prohibits decisions based on solely automated decision-making.
  • Profiling can occur even if the controller has no intention of using the results to predict the behaviour of an individual or a group of individuals.
  • There must be a lawful basis for the profiling operations, and the GDPR principles continue to apply.
  • It is prudent to conduct a DPIA before beginning any form of profiling operation.

Should you require further advice and information regarding the application of the GDPR and PECR 2003 to profiling and automated decision-making in your organisation or how to conduct a Data Protection Impact Assessment, please contact us here.