GDPR automated decision-making and profiling: what are the requirements?

In addition to data subjects’ rights to be informed, of access, to rectification, to erasure, to restrict processing, to data portability and to object, the EU’s GDPR (General Data Protection Regulation) sets out requirements relating to automated individual decision-making, including profiling.

In brief:

  • Profiling now has a distinct definition.
  • Automated individual decision-making, including profiling, is restricted.
  • There are three exceptions to this restriction:
    1. If it is necessary to perform a contract between the data subject and a data controller.
    2. If it is authorised by EU or member state law to which the data controller is subject.
    3. If the data subject gives their explicit consent.
  • Where any one of these exceptions applies, data controllers must introduce additional safeguards.
  • In some circumstances, data controllers must carry out a DPIA (data protection impact assessment).
  • Data controllers must provide data subjects with specific information relating to individual decision-making, including profiling.
  • Additional restrictions apply to processing special category and children’s data.

This blog examines these new requirements and how they will affect organisations.

What is profiling under the GDPR?

The GDPR defines profiling as:

“Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”

So, you are carrying out profiling if you collect and analyse personal data using algorithms or AI, make associations between habits and characteristics based on that data, and predict individuals’ behaviour based on the demographic or profile that you’ve assigned them.

Profiling is most often used for marketing purposes, but it is also used in other areas, such as healthcare, financial services and education, where large volumes of data need to be analysed in order to make quicker and more consistent decisions.

Such decision-making is now restricted.

What are data subjects’ GDPR rights relating to profiling?

Article 22 of the GDPR states:

“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”

The GDPR’s requirements differ from the DPA 1998 (Data Protection Act 1998), under which “individuals had a right to be informed about automated decisions that significantly affected them but generally you could carry out this type of processing unless you received an objection”.

What does the GDPR mean by ‘solely’ automated decision-making?

If the decision-making process is entirely automated and there is no human influence on the outcome, then it falls under the Article 22 requirements.

However, if there is any active human intervention – for example, if someone checks automated decisions and overrides them – then the decision-making process is not solely automated and Article 22 does not apply.

What are legal effects or similarly significant effects?

A decision that has a legal effect is one that affects data subjects’ legal rights or legal status – for example, a process that evaluates an individual’s eligibility for state benefits.

One that has a similarly significant effect has comparable consequences – for example, the automatic refusal of a loan application, or the decision not to give a job interview based solely on the results of an online aptitude test.

The WP29 (Article 29 Working Party) – now the EDPB (European Data Protection Board) – issued guidelines on automated individual decision-making and profiling under the GDPR in 2017, which provide more advice.

What do the GDPR profiling requirements mean in practical terms?

If you are a data controller, it is likely that you will need to update your processing activities to meet the GDPR’s requirements relating to individual automated decision-making, including profiling.

Data controllers must carry out a DPIA in accordance with Article 35 as automated decision-making is categorised as high-risk processing.

Click here for more information about DPIAs under the GDPR >>

You will also need to ensure you adhere to the GDPR’s six data processing principles and comply with the other GDPR principles, including those relating to lawful processing.

Help complying with the GDPR

Here at IT Governance, we have a wide range of products and services to help your GDPR compliance project – whatever your budget or level of expertise.

Visit our information pages for more information about GDPR compliance and to see how IT Governance can help you comply with the GDPR >>

About The Author

Neil Ford

Neil has worked at IT Governance since 2013. He writes about all IT governance, risk management and compliance subjects, and can often be found talking about them on podcasts and videos.