What profiling techniques do you use and what information do you need to provide to your customers?
GDPR will have a significant impact if your organisation undertakes profiling for the purposes of analysis, segmentation or predictive modelling. Most crucially, the EU Regulation requires organisations to inform consumers if profiling is taking place.
[This guide is subject to change when EU guidance on profiling & automated decisions is published – The ICO says the feedback received from its profiling discussion paper will inform its input into drafting the EU guidance]
This represents a marked change from Directive 95/46/EC which doesn’t explicitly mention the word profiling. Article 4 of the GDPR now defines profiling as:
‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
It is a very comprehensive definition covering –amongst other things – most of the automated decision making commonly used in marketing.
Does the profiling you undertake require consent?
During the GDPR negotiations many feared an opt-in consent would be required for all types of profiling. However, the final text identifies that selected types of profiling may be treated differently Article 21 gives individuals the right to object to profiling related to direct marketing purposes whereas Article 22 lays down specific conditions for profiling which produces ‘legal or similarly significant effects’.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance to the Data Protection Act 1998 or other statutory measures referred to in the document.