What are the data protection principles outlined in GDPR relating to profiling and automated decision-making processes?
In this article, we will consider the operations of profiling and automated decision-making in light of the 7 principles of GDPR.
For a company’s profiling strategies and automated decision-making strategies to be compliant with GDPR, in addition to any specific GDPR requirements, it must ensure that it complies with the GDPR principles as well.
Are you ready?
Let’s get started!
Table of Contents
What is profiling and automated decision-making?
Profiling
Article 4 GDPR defines profiling as follows:
“any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”
As defined under GDPR, profiling relates to an automated data processing operation used to make decisions or predictions about individuals.
Automated decision-making
Article 22 GDPR defines the data subject’s rights with respect to profiling and automated decision-making as follows:
“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”
The data subject’s rights related to profiling and automated decision-making is composed of a few aspects:
- Decisions based solely on automated processing
- Which produces legal effects or significantly affects the data subject
Automated decision-making is the actual process of using technology to make decisions about a person.
While profiling is the process of evaluating aspects about a person, automated decision-making is the process of making decisions about the individual using technological means and without the involvement of a human.
What are the GDPR principles applicable to profiling and automated decision-making?
There are seven guiding principles outlined in GDPR that companies and organizations must follow when processing data.
These principles apply to any type of personal data processing governed by the GDPR regulation.
Organizations performing profiling and automated decision-making operations will be subject to the GDPR guiding principles.
The following principles are relevant in light of profiling and automated decision-making:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
Let’s look at each of these principles individually.
Lawfulness, fairness and transparency
To start with, the first principle of lawfulness, fairness and transparency is crucial with respect to automated decision-making and profiling activities.
Article 5 GDPR indicates that personal data must be:
“processed lawfully, fairly and in a transparent manner in relation to the data subject”
Companies use complicated algorithms and technologies to analyze a significant volume of data to predict consumer behaviour, interests and derive commercially beneficial patterns.
The average person will have a hard time understanding how profiling and automated decision-making processes work.
In some cases, companies gather scattered data points to infer or derive information about a person essentially creating new personal data on a person.
This new data may not be based on personal data directly collected from the data subject.
To comply with the principle of lawfulness, fairness and transparency, companies must provide clear, concise and easy-to-understand information about their profiling and automated decision-making processes so the average consumer can understand.
The notion of fairness is also highly relevant when profiling and making automated decisions about individuals.
In some cases, automated decisions may be unfair or may lead to unwarranted discrimination.
If a person’s rights are affected based on factors such as their age, race, opinions or other aspects about the person, there may be direct violations of GDPR and discrimination laws as well.
Purpose limitation
The next principle that is important to address is with respect to the purpose of data processing when profiling or using automated means to make decisions about or related to a person.
GDPR is clear about the data collection and processing purpose.
In other words, if a company intends to collect personal information, it must have a specific purpose and can only use the personal data for that intended purpose.
Article 5 GDPR states the following about purpose limitation, personal data can only be:
“collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes”
The purpose must be specified, explicit and legitimate.
Any other form of secondary processing operations on that personal data collect must “not be considered to be incompatible with the initial purpose”
A company collecting personal information cannot necessarily use that information, in combination with other pieces of information, to create a profile on a person and make automated decisions about them.
To ensure that the profiling and automatic decision-making activities remain lawful, companies must make sure that they use the data in a way that remains compatible with the initial purpose based on the guidelines offered by GDPR.
Data minimisation
With the advancement of Big Data processing activities, machine-learning, artificial intelligence and the latest state-of-the-art technologies, data is considered to be the “black gold”.
Data is worth billions of dollars to organizations.
The more you have data, the better from a business perspective.
However, from a GDPR compliance perspective, that may directly lead to the violation of the data minimisation principle.
Article 5 GDPR states the following about data minimisation, personal data must be:
“adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”
Companies must only collect what’s necessary to achieve their purpose.
Collecting everything possible on data subjects, scraping the Internet to collect data on data subjects and combining all that data to assemble a profile on an individual to make various commercial decisions not related to the actual initial purpose of data collection can be dangerous.
Accuracy
The next principle to consider when profiling is data accuracy.
It goes without saying that if a company is creating a profile and using that to make automated decisions, it must make sure that the profile assembled is based on accurate information.
Article 5 GDPR indicates that personal data must be:
“accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay”
Inaccurate data or bad data can lead to bad decisions.
Bad decisions can lead to data subject complaints which can lead to an entire regulatory probe and possible fines.
Not only data controllers must process accurate data but data subjects have the right to have data controllers correct or even erase inaccurate data.
Companies using technological advancements to do profiling and building models on consumers or individuals must make sure they operate based on good data to avoid any potential harm or detrimental decisions to the data subject.
Storage limitation
The final principle relevant to profiling under GDPR is with respect to storage limitation.
The principle of storage limitation requires that companies store personal data only for as long as it’s necessary and not longer.
In other words, there will come a time when storing data on a person will exceed what is necessary once the purpose of the data processing has been achieved.
Article 5 GDPR states that personal data must be:
“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject”
Storage limitation can be quite challenging for some companies operating with Big Data and using artificial intelligence.
Typically, the more data the machine can process and work with, the ‘smarter’ the machine can get.
However, companies cannot store data indefinitely to make their machines smarter.
There comes a time where the data must be disposed of in accordance with the principle of storage limitation.
Profiling GDPR: Takeaways
With the advancement of technology, companies can develop systems, machines and platforms able to process a lot of data, correlate the data, create connections, infer customer behaviour and extract commercially valuable patterns.
In many industries, companies are creating profiles on their customers to segment them and potentially make decisions about the group.
Using automated platforms, it is much easier to have a machine process an application than have a human handle it.
With these strategies, companies trigger certain obligations under GDPR relating to profiling and using purely automated means to make decisions about individuals.
We’ve covered the concept of profiling and automated decision-making in our article Profiling and Automated Decision-Making Under GDPR so you can read more about that.
In this article, we’ve analyzed the profiling and purely automated decision-making operations from the perspective of the GDPR guiding principles.
Although all of the 7 principles apply in some form or fashion, we’ve provided a more detailed analysis of the following principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
To comply with GDPR, companies need to comply with the guiding principles providing the spirit and the intention behind the data protection regime covered in GDPR.
Companies in the financial, marketing, healthcare, insurance, banking and so on are encouraged to properly understand their obligations under GDPR relating to their profiling strategies and automated decision-making systems they may employ.