GDPR or General Data Protection Regulation have made changes related to profiling and automated decision making. Websites now need to prepare accordingly and make changes while collecting data and making automated decisions. The users are now to be informed and are to be asked for their consent for the collection and processing of their data.
Profiling and automated decision making are two areas under GDPR that received its fair share of confusion. To understand the terms better that let us first discuss what profiling and automated decision making are.
Profiling means the processing of personal data of a person or a group for evaluation of individual identity purposes. This method is also used for targeting online ads based on browsing behavior.
Profiling is part of an automated decision making but is all about evaluation and not decision making.
Profiling Considerations under GDPR
- Profiling tracks browsing activity of a user, hence violating transparency of such activities that need to be provided to users under GDPR. The user needs to be informed beforehand about any such activity while they visit the website.
- The consent of the users for profiling their data is also important. It is to be made sure that the users can make an informed choice. The users or data subjects are to explicitly give their consent before any kind of data processing is carried out.
- Legitimate interests assessment need to be conducted beforehand. This should be done considering the impact of profiling with no discrimination towards anyone.
- The users have the right to object to profiling. If the data subject wishes to halt the profiling of their data, it should be complied with unless they are bound to a contract.
- Data subjects can also object to profiling and use of their data by the websites when the data is required for any processing.
- Users also have the right to be forgotten. They can request the website to delete their data that has been profiled. The websites have to delete the data and provide them with a copy of their personal data collected on receiving such a request within a month, free of charge.
- Profiling of data of children irrespective of their age is not allowed.
The clear definition of it would be making decisions by automated processing of data without any human involvement in the process.
Some examples of these are an automatic disconnection from mobile phone service when unable to pay the bill, denial of any social benefit granted by law, etc.
Any ADM or automated decision-making with human involvement will not qualify as an automated decision. But if a human inputs a data but the decision taken was automated, it can be considered as an automated decision.
Often automated decision leads to discrimination against individuals.
Automated Decision-Making Considerations under GDPR
- GDPR protects user data and allows automated decisions only when necessary. Some of the cases in which automated decision making can be conducted are given below.
- When ADM is necessary for the performance or entering into a contract between the data subject and the organization.
- When it is authorized by EU or State law, the ADM can be carried out regardless of the people involved.
- When the user gives their explicit consent for carrying out automated decision-making activities.
- Data Protection Impact Assessment (DPIA) is to be carried out before any ADM is carried out, to know of any risks involved while carrying out ADM.
- Users are to be informed beforehand of their right to ask a review of the automated decision. The user is unhappy with the result of ADM can ask for a review, this can make them reverse the process if necessary. The organization then will need to provide an explanation as to how and why the decision was reached.
- ADM can be carried out if in the interest of the public as lawful processing. Even in the case of medical emergencies, ADM can be carried out if it is a life and death situation.
What steps should the organizations be taking?
- Organizations need to identify their profiling and automated decision-making activities. A list of all automated decisions made should be identified and what effects they have on individuals.
- Organizations must document all the ADM decisions and the data collected while profiling as part of GDPR requirements.
- Inform users about your profiling activities and automated decisions. The users have the right to be informed, object and withdraw their consent while agreeing for sharing their personal data. They must also be provided with a copy of data collected by the website if requested.
These were some of the points to provide a general idea of profiling and automated guidance under GDPR.