Automated profiling and GDPR

22 November 2017 by smartimpact team

With the fine detail still being worked out by the EU and the Information Commissioner’s Office, it’s important to keep up to date with developments around the General Data Protection Regulation (GDPR).


One working group, the catchily titled Article 29 Data Protection Working Party, has been busy drafting additional guidance on certain aspects. Here’s what they say about…

Automated Profiling & Decision-Making

With this rise of the digital world, we are all increasingly subject to automated profiling; GDPR looks to ensure we are not adversely affected by this and any decisions made off the back of the profiling.

Under GDPR, individuals have the right to ‘not be subject to a decision’ when it is based on automated processing AND produces a legal effect or similarly significant effect on the individual.

Okay, there’s three things to consider here:

1. Automated processing

To be classified as profiling the activity you do must be automated in some way, carried out on personal data and be in order to evaluate personal aspects of an individual. If you collect data on individuals, look for correlations in that data and make assumptions about one’s present or future behaviour off the back of those correlations, then you are profiling.

Profiling in itself is okay but if you then automate the decisions based on that profile then GDPR applies and you need to be able to prove you are lawfully processing the data. If there is human intervention in the process then it is not automated and not subject to the needs for consent.

2. Legal effect

If someone’s legal rights will be affected by the decision-making then this right applies and you need to be gaining consent, or using another method of proving the lawful processing of data.

3. Similarly significant effect

Equally, if the effect on the individual will be significant then GDPR applies. But what constitutes ‘significant’

The working party has decided ‘significant’ would be more than trivial and of a similar level to the legal effect, e.g. affecting whether the individual is granted a mortgage to buy a first home or able to purchase a kitchen on credit.

The working party mentions online advertising but notes that this is generally trivial. It’s only if the decision-making changes the price advertised; or the advertising is to a vulnerable group, e.g. online gamblers; or if either the profiling or the way the advert is delivered is particularly intrusive, then you need to ensure you gain consent.

What does all this mean?

Essentially, if you have some form of human intervention, or if the subsequent decisions made are not legally or, in other ways, significantly affecting the person’s rights you don’t have to get consent for the data collection.

Equally, if you need to conduct the activity in order to perform a contract with the individual you’re okay.

Best practice says that it is always good to gain consent for all different types of data collection and activity but if you are simply serving Google Adwords to people who have visited your website previously then you don’t need to panic.

What should I do now?

What kinds of automated profiling do you do in your business? Make a list and read more about the working party guidance to see if you need to take action now»

Get ready for GDPR.