Your organisation can protect individual rights related to automated decision-making and profiling, particularly where the processing is solely automated with legal or similarly significant effects.
Ways to meet our expectations:
- You complete additional checks for vulnerable groups, such as children, for all automated decision-making and profiling..
- Your organisation only collects the minimum data needed and has a clear retention policy for the profiles created.
- If your organisation uses solely automated decisions that have legal or similarly significant effects on individuals, you have a recorded process to ensure these decisions only occur in accordance with Article 22 of the GDPR. If this applies, your organisation must also carry out a data protection impact assessment (DPIA).
- Where the decision is solely automated and has legal or similarly significant effects on individuals, a recorded process allows simple ways for individuals to request human intervention, express their opinion and challenge a decision.
- You conduct regular checks for accuracy and bias to ensure that systems are working as intended, and you feed this back into the design process.
Can you answer yes to the following questions?
- Do staff and customers find your retention policy clear?
- Do staff say you have effective processes to protect rights relating to automated decision-making and profiling?
- Would individuals say you made it easy to request human intervention, express their opinion and challenge a decision?