What profiling techniques do you use and what information do you need to provide to your customers?
GDPR has a significant impact if your organisation undertakes profiling for the purposes of analysis, segmentation or predictive modelling. Most crucially, the EU Regulation requires organisations to inform consumers if profiling is taking place.
[The Article 29 Working Party draft guidelines published in October 2017 can be found here or we have produced an overview: GDPR & Profiling – What the WP29 guidelines say]
This represents a marked change from Directive 95/46/EC which doesn’t explicitly mention the word profiling. Article 4 of the GDPR now defines profiling as:
‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
It is a very comprehensive definition covering –amongst other things – most of the automated decision making commonly used in marketing.
Does the profiling you undertake require consent?
During the GDPR negotiations many feared an opt-in consent would be required for all types of profiling. However, the final text identifies that selected types of profiling may be treated differently. Article 21 gives individuals the right to object to profiling related to direct marketing purposes whereas Article 22 lays down specific conditions for profiling which produces ‘legal or similarly significant effects’.
What this means in practice is that where an organisation already has grounds for direct marketing, such as consent or legitimate interests, they do not need to gather an additional consent to profile for DM purposes. For example, to segment an audience for marketing communications. They will, however, have to notify the profiling when they capture the personal data.
The second category, profiling with ‘legal or similarly significant effects’, is explained in GDPR with examples of such as the use of profiling to judge an application for a credit card and its use in e-recruiting without human intervention. It remains to be seen how far this definition will be expanded by guidance from the Regulators. Organisations which wish to carry out this type of profiling must be able to rely on one of these three conditions for processing:
i) It is required for entry or performance of a contract
ii) It is authorised by EU or Member State Law
iii) The individual has actively consented to the profiling
Crucially under the GDPR profiling of children is a no go and explicit consent will be required for Special Categories of Data (an expanded definition of what is currently referred to as Sensitive Data).
What do you need to tell consumers about the profiling you are undertaking?
Under GDPR the Data Controller is obliged to do the following regarding profiling activities:
a) Inform Data Subjects about the existence of profiling at the point of data collection, using explicit wording clearly and separately from other information.
b) Explain at the point of data collection the “logic involved”, and the significance of and envisaged consequence of the processing.
c) Inform the Data Subjects of their right to object to profiling; let them know they can opt-out if they wish and provide a way for them to do so.
How do you explain profiling to consumers?
The word ‘profiling’ may have very negative associations for some consumers. They may immediately think of criminal profiling or perhaps they will be concerned about unexpected data collection of consumers’ habits and behaviour. So your explanation will need to be worded carefully, in a way that enables consumers to understand and feel comfortable with the processing taking place. A balancing act will be required between providing enough detail to meet GDPR requirements while not making it too wordy or technical.
Highlighting the ‘value exchange’ which occurs when you collect data and how profiling can benefit the consumer may prove a productive approach.
Example of permission statement wording:
At XYZ, we have exciting offers and news about our products and services that we hope you’d like to hear about. We will use your information to predict what you might be interested in. We will treat your data with respect and you can find the details of our Contact Promise here.
I’d like to receive updates from xxxxx based on my details
Can you uphold an individual’s right to object to profiling or record consent?
Organisations need to have systems and processes in place to ensure the right to object to profiling can be practically upheld. Databases will have to store objections and personal data removed from profiling activities.
Where consent for profiling with legal effect has been obtained, this too will need to be recorded including the circumstances of how the consent was obtained and details of what the consent covers.
What do you need to do if you undertake new profiling activities?
In cases where a new profiling activity is being planned, it may be necessary to carry out a Data Privacy Impact Assessment. It is mandatory under GDPR to carry out a DPIA if the proposed activities are likely to result in high risk to the rights and freedoms of individuals. Under this mandatory requirement the Regulation provides the example of:
Automated processing (including profiling) which may significantly affect the individual or might produce legal consequences
In many cases the activities you are undertaking might be considered medium to low risk, and while a DPIA might not be essential, it may prove an invaluable exercise to help justify profiling.
What safeguards do you need in place?
Under GDPR there is a requirement to ensure certain safeguards are in place when processing personal data for all profiling purposes (i.e. be that for DM purposes or with legal or similarly significant effects).
Organisations need to be able to demonstrate compliance with these 3 conditions:
a) They are using ‘appropriate mathematical statistical procedures’ for the profiling, i.e. it’s got to be mathematically robust.
b) They have ‘appropriate technical and organisational measures’ in place to enable inaccuracies to be corrected and to minimise the risk of errors in profiling
c) They must ‘secure personal data in a manner that takes account of the potential risks involved for the interests and rights of the data subject and that prevents inter alia discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status, or sexual orientation, or that result in measures having such effect.’
For many organisations, compliance with the GDPR provisions relating to profiling will be challenging. An effective approach may be to anonymise data wherever possible, so it is removed from the scope of the new Regulation. For example, do you need to carry out profiling with personal data in all cases, or could you use non-personal data for profiling instead, e.g. using only postcodes?
It will also be crucial to train employees involved in your big data projects so they fully understand the implications of the new rules, and can factor this into their existing scopes and future planning.
Outside the EU?
Organisations which are based outside the EU need to be aware that they will be subject to GDPR if they;
i) offer goods or services to EU data subjects
ii) monitor the behaviour of EU data subjects (e.g. online monitoring of website visitors)
In the cases above GDPR applies regardless of whether the data processing takes place within the EU or not. Profiling of EU data subjects taking place anywhere from China to Canada will therefore, in theory, fall under the GDPR.
Undertaking a review of any processing operations which may constitute profiling is crucial in order to consider whether procedures need to be updated to ensure compliance with GDPR.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.