In detail

Even if Article 22 does not apply to your processing, for example because there is human involvement in the decision-making process, you must still comply with the GDPR principles and identify and record your lawful basis for the processing. This is also the case for any new profiles you create.

Are there any key areas we should focus on?

You may want to revise your privacy policy and inform individuals about any automated decision-making involving profiling that you carry out, especially if it’s unlikely they would expect it. You should still tell people what data you’re using and where it’s come from.

Even if you don’t think the processing falls within Article 22, it’s good practice to do this and helps you be more transparent – particularly because this type of processing won’t necessarily be obvious to individuals.

As part of assessing whether your processing is fair, you also need to think about whether any profiling is fundamentally linked with the reason for using the service and what people would reasonably expect you to do with their data.  Although a retailer analysing loyalty card data to decide what new products to suggest to a customer might be an expected activity; analysing someone’s social media posts to reject them for a job, refuse a loan, or increase their insurance might not be.

Individuals have access rights to the personal information you process about them, including information used in any profiling you carry out.

Remember as well that if the data you’re using isn’t correct then any profile or decision based on the data will also be flawed.

Don’t collect too much information or keep it for too long. Just because your systems allow you to retain vast quantities of data doesn’t mean you should. It also makes it more difficult to keep the data up to date, accurate and relevant for any profiling you’re carrying out.  

Read our guide to the GDPR for information on compliance with the data protection principles and the different lawful bases for processing. Our guidance on lawful bases includes an interactive guidance tool which helps you to assess which lawful basis is likely to be appropriate for your processing.

Can individuals object to profiling?

Article 21 of the GDPR gives individuals the right to object to any profiling that you carry out:

  • on the basis of legitimate interests or on the basis of public task or official authority. In these cases an individual can object on grounds relating to his or her particular situation. You’ll have to stop the processing unless you can show that you have a compelling reason to continue the profiling that overrides the individual’s interests;
  • for direct marketing purposes. You must stop the profiling as soon as you receive an objection. There are no exemptions or grounds to refuse.

You must bring this right to the attention of individuals and present it separately from other information.

If you receive an objection under Article 21 you need to respond within one month and confirm the action you’ve taken.

 

Further reading - Data Protection Board 

The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

The WP29 published the following guidelines which have been endorsed by the EDPB:

Guidelines on Automated individual decision-making and profiling Chapters III and V

Guidelines on consent

Guidelines on transparency