The ICO exists to empower you through information.

About this detailed guidance

This guidance discusses automated decision-making and profiling in detail. Read it if you have detailed questions not answered in the Guide, or if you need a deeper understanding to help you apply the rules relating to automated decision-making and profiling in practice. DPOs and those with specific data protection responsibilities in larger organisations are likely to find it useful.

If you haven’t yet read automated decision-making and profiling in brief in the Guide to UK GDPR, you should read that first. It sets out the key points you need to know, along with practical checklists to help you comply.

Contents

What is automated individual decision-making and profiling?

What does the GDPR say about automated decision-making and profiling?

What is profiling?

What is automated decision-making?

What are the benefits of profiling and automated decision-making?

What are the risks? 

What type of processing is restricted?

What does ‘solely’ automated mean?

What types of decision have a legal or similarly significant effect?

Automated decision-making systems are a key part of our business operations – do the GDPR provisions mean we can’t use them?

We profile our customers to send relevant marketing to them – does Article 22 stop us doing this?

When can we carry out this type of processing?

What else do we need to consider if Article 22 applies?

What are the exceptions?

What about special categories of personal data? 

What’s a DPIA?

What do we need to tell individuals and why?

How can we explain complicated processes in a way that people will understand?

What’s the best way to provide privacy information?

What other rights do individuals have?

Will we need to make any other changes to our systems?

 

What if Article 22 doesn’t apply to our processing?

Are there any key areas we should focus on?

Can individuals object to profiling?