Profiling is defined under the EU General Data Protection Regulation (GDPR) and there are new rules organisations need to consider surrounding automated decision-making and profiling. This includes requirements for transparency surrounding such activities and for consent when certain conditions apply.
The Article 29 Working Party has published draft guidelines and the consultation on these has now closed. (The WP29 includes representatives from the data protection authorities of each EU member state and adopts guidelines for complying with the requirements of the GDPR).
Overview of the WP29 profiling and automated decision making guidelines
What is Profiling?
The GDPR specifically includes a new definition of profiling:
‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements [GDRP Article 4(40]
The WP29 says profiling is comprised of three elements:
- It has to be an automated form of processing
- It has to be carried out on personal data, and
- The objective of the profiling must be to evaluate personal aspects about a natural person
Profiling has to involve some form of automated processing, but human involvement does not necessarily take an activity out of the definition.
The WP29 states: “simply assessing or classifying individuals based on characteristics such as their age, sex and height could be considered profiling, regardless of any predictive process.”
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance to the Data Protection Act 1998 or other statutory measures referred to in the document.