In this multipart guide, we will be assessing your rights and obligations in the rapidly approaching GDPR, equipping you with the knowledge to stay secure once the new regulation comes into play.
What is compliant profiling and processing?
The GDPR applies to all automated individual decision-making and profiling. This includes all forms of fully automated processing and decision making, as well as profiling and processing done by an individual on a personal basis.
This means that the GDPR encompasses all data processing and profiling, whether you are actively collecting and sorting data physically and personally, or if your processing journey is entirely automated online, or anywhere between.
The GDPR defines profiling as “Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”
Are my processing and profiling systems compliant?
Automated individual decision-making is specified as any decision made by automated means without any human involvement. This includes online decisions to award a loan, recruitment aptitude tests using pre-programmed algorithms and criteria, and similar automated processing means. This does not have to include profiling, although most examples will do.
The GDPR states that you can only carry out these decision-making processes when the decision is necessary for the performance of a contract, authorised by Union or Member state law applicable to the controller, or by the individual’s explicit consent. If your processing falls under Article 22, you must give the individual information about the processing, have a simple way for them to request human intervention or challenge a decision, and carry out regular checks to ensure your systems are compliant and working as intended. To ensure your processes are compliant, check out the regular compliance checklist here.
“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”
What makes this different to the existing Data Protection Act?
Unlike the existing DPA, the GDPR specifically defines profiling. This means that automated decision-making and profiling are restricted unless you qualify for one of the three grounds for processing which overrule this restriction.
If your processing or profiling does qualifying for these grounds however, you must introduce additional safeguards to protect data subjects. These work in a similar way to existing rights under the 1998 Data Protection Act. This includes providing individuals with specific information about automated decision-making and profiling.
The GDPR also highlight the importance and necessity of enforcing additional restrictions on the use and processing (including profiling) of special category and children’s personal data. For these circumstances, you must only carry out processing described in Article 22 If you have the individuals explicit consent, or the processing is necessary for reasons of substantial public interest.
What else should I know?
The processing described in Article 22 is considered high-risk, which means that the GDPR requires you to carry out a Data Protection Impact Assessment (DPIA) to prove that you have identified and assessed what those risks are and how you will address them. You must also give individuals specific information about the processing and take steps to prevent errors, bias or discrimination, as well as providing a simple and accessible way for individuals to challenge and request a review of this decision. The purpose of this is to provide an increased understanding to individuals of how you are using their personal data.
What if Article 22 doesn’t apply to my processing?
If your processing doesn’t include solely automated individual decision-making, including profiling, with legal or significant effects, then you can continue to carry out profiling and automated decision-making, but you are still obligated to meet GDPR compliance and identify and record your lawful basis for the processing. This includes having the necessary processes in place for people to exercise their rights.
To find out more about GDPR compliance within your business and best practise for data processing, give MarketDeveloper a call today on +44 1784 432 082.