26# Automated processing & Profiling

The Requirements Series is coming to a close next week, but before that, we are moving into the more futuristic area of the GDPR, namely the rules on automated individual decision-making and profiling. It is a bit interwoven with big data and analytics, machine learning, artificial intelligence and the Internet of Things; constantly relevant and top of mind these days.

This post will firstly explain what automated individual decision-making and profiling are, and then the requirements surrounding the usage of these technologies.

Automated decision-making is, according to the WP29 and the EDPB, the ability to make decisions by technological means without human involvement. These decisions can be made with or without profiling, they are not necessarily mutually exclusive or the same.

Profiling has a legal definition in the GDPR, that is:

any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements

Essentially, profiling is made up of three components. Firstly the processing needs to be automated, secondly, it needs to involve personal data, and lastly, must the profiling aim to evaluate the personal aspects of a natural person.

In the UK and the EU is fully automated individual decision-making, including profiling, with legal or similarly significant effects, generally prohibited. However, the prohibition doesn’t apply if any of these situations are at hand:

1. It is necessary for entering into, or performance of, a contract between the data subject and you;
2. It is authorised by a law of the EU/EEA or a Member State (or the UK’s domestic law) to which you are subject. The law needs to also lay down suitable measures to safeguard the data subject rights and freedoms and legitimate interests; or
3. The data subjects have given their explicit consent.

The decisions need to have a legal or similarly significant effect to affect them. Here are some examples of similarly significant effects, but usually you have to evaluate them on a case-by-case basis. Similarly significant effects could be those affecting someone’s:

• Financial circumstances, such as their eligibility to credit
• Access to health services
• Employment opportunity
• Access to education, for example, university admissions

If you are using profiling algorithms, you should consider regular quality assurance checks of the system to make sure that individuals are being treated fairly and that the system is not producing discriminatory, erroneous, or unjustified results.

You can only base decisions and profiling on special category personal data if:

• You have the data subject’s explicit consent; or
• The processing is necessary for reasons of substantial public interest.

In general, you should not use automated individual decision-making regarding children. It is acceptable if the decision is to protect their welfare, but not for purposes like marketing or online gaming.

You must implement suitable technical and organisational measures to safeguard the data subject’s rights and freedoms and legitimate interests. Furthermore, a measure that always included should be included is the right to obtain human intervention, to express the data subject’s view, to contest the decision and to obtain an explanation of the decision reached. You ought to take steps to prevent errors, bias, and discrimination.

As a matter of best practice, you can provide a link or message to an appeal process when the automated decision is delivered to the data subject. The message should include the time scales for a review and the named contact point for any queries. DPOrganizer’s app makes it easier to handle requests, and it would be a time-saver in identifying what data are processed, where, how, and why. You can also create a case and have a case log readily available for responding to the request.

If you have questions, I am available on albin.thelin@nulldporganizer.com, or you have other privacy pro peers over at the community Watercooler that would be happy to help out a fellow colleague. Please join us next week when we are going to be talking about training and awareness as a way to build accountability, governance and compliance. See you next week for the last post of this series!