General Data Protection Regulation (GDPR) has made changes related to profiling and automated decision making. Websites now need to prepare accordingly and make changes while collecting data and making automated decisions. The Regulation has placed strict rules around them making many believe that it will limit the use of automated decision-making methods. However, it aims to protect the rights and freedom of people.
General Data Protection Regulation (GDPR) has made changes related to profiling and automated decision making. Websites now need to prepare accordingly and make changes while collecting data and making automated decisions. The Regulation has placed strict rules around them, making many believe that it will limit the use of automated decision-making methods. However, it aims to protect the rights and freedom of people.
Profiling and automated decision making are two areas under GDPR that received their fair share of confusion. To understand the terms better, let us first discuss what profiling and automated decision-making are.
What is Profiling?
Article 4(4) of the GDPR defines profiling as:
Profiling means the processing of personal data of a person or a group for evaluating their behavior and making appropriate decisions based on it. For example, monitoring website users' online activity to serve tailored ads to them.
It is part of an automated decision making, but it is all about the evaluation and not decision making.
Profiling Considerations under GDPR
- Since profiling tracks the personal data of a user, an organization must be transparent about the data it collects and its purpose before the processing.
- The organization must obtain explicit consent from the users before collecting and processing their data. This is in case if no other lawful basis of processing applies.
- Conduct a legitimate interest assessment beforehand, considering the impact of profiling with no discrimination towards anyone.
- The users have the right to object to profiling. If the data subject wishes to halt the profiling of their data, the organization must comply unless they are under a contract.
- Data subjects can also object to profiling and use of their data when the data is required for any processing.
- Users also have the right to be forgotten. They can place a request to delete their data used for profiling. The organization is obliged to delete the data and provide them with a copy of it upon receiving such a request within a month. It should be free of charge.
- Profiling of data of children irrespective of their age is not allowed.
What is Automated Decision-making?
The precise definition of Automated Decision-making (ADM) would be making decisions by automated processing of data without any human involvement in the process.
Some examples of these are automatic disconnection from mobile phone service when unable to pay the bill, denial of any social benefit granted by law, etc.
Any decision making with human involvement will not qualify as an automated decision. However, if it is automated decision-making with human involvement in profiling, then it can be considered as an automated decision.
Often automated decision leads to discrimination against individuals.
Automated Decision-Making Considerations under GDPR
- GDPR protects user data and allows automated decisions only when necessary. Some of the cases in which automated decision is permitted are:
- ADM is necessary for fulfilling a contract between the data subject and the organization.
- When it is authorized by the EU or State law, the ADM can be carried out regardless of the people involved.
- When the user gives their explicit consent for carrying out automated decision-making activities.
- Data Protection Impact Assessment (DPIA) is to be carried out before any ADM, to know of any potential risks involved while carrying out the process.
- Inform users beforehand of their right to ask for a review of the automated decision. If the users are unhappy with the result of ADM, they can ask for a review. This can make them reverse the process if necessary. The organization will then need to explain how and why it reached this decision.
- The organization can carry out ADM if it is in the interest of the public as lawful processing. Even in the case of medical emergencies, ADM can be carried out if the life of an individual is at risk.
What steps should the organizations be taking?
- Organizations need to identify their profiling and automated decision-making activities and what effects they have on individuals.
- Organizations must document all the data collected while profiling and automated decisions as part of GDPR requirements.
- Inform users about profiling activities and automated decisions. The users have the right to be informed, object, and withdraw their consent to share their personal data for profiling. The organizations must also provide them with a copy of the data collected if requested.
Profiling and automated decision-making may sometimes lead to discriminatory and inaccurate results. Hence, it is the responsibility of an organization to monitor and review their processes regularly. It must ensure the safety of personal data of the users and their rights and implement the necessary safeguard measures to protect the right and freedom of people.
Disclaimer: The purpose of this article is to share general information with the readers. It does not represent any legal advice. Hence, for any legal assistance related to GDPR compliance, please contact your lawyer or a professional.