In detail

What is profiling?

Profiling analyses aspects of an individual’s personality, behaviour, interests and habits to make predictions or decisions about them.

The GDPR defines profiling as follows:

‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Article 4 (4)

Organisations obtain personal information about individuals from a variety of different sources. Internet searches, buying habits, lifestyle and behaviour data gathered from mobile phones, social networks, video surveillance systems and the Internet of Things are examples of the types of data organisations might collect.

They analyse this information to classify people into different groups or sectors. This analysis identifies correlations between different behaviours and characteristics to create profiles for individuals. This profile will be new personal data about that individual.

Organisations use profiling to:     

  • find something out about individuals’ preferences;
  • predict their behaviour; and/or
  • make decisions about them.

Profiling can use algorithms. An algorithm is a sequence of instructions or set of rules designed to complete a task or solve a problem. Profiling uses algorithms to find correlations between separate datasets. These algorithms can then be used to make a wide range of decisions, for example to predict behaviour or to control access to a service. Artificial intelligence (AI) systems and machine learning are increasingly used to create and apply algorithms. There is more information about algorithms, AI and machine-learning in our paper on big data, artificial intelligence, machine learning and data protection.

You are carrying out profiling if you:

  • collect and analyse personal data on a large scale, using algorithms, AI or machine-learning;
  • identify associations to build links between different behaviours and attributes;
  • create profiles that you apply to individuals; or
  • predict individuals’ behaviour based on their assigned profiles.

Although many people think of marketing as being the most common reason for profiling, this is not the only application.

Example 

Profiling is used in some medical treatments, by applying machine learning to predict patients’ health or the likelihood of a treatment being successful for a particular patient based on certain group characteristics.

Less obvious forms of profiling involve drawing inferences from apparently unrelated aspects of individuals’ behaviour.

Example

Using social media posts to analyse the personalities of car drivers by using an algorithm to analyse words and phrases which suggest ‘safe’ and ‘unsafe’ driving in order to assign a risk level to an individual and set their insurance premium accordingly.

What is automated decision-making?

Automated decision-making is the process of making a decision by automated means without any human involvement. These decisions can be based on factual data, as well as on digitally created profiles or inferred data. Examples of this include:

  • an online decision to award a loan; and
  • an aptitude test used for recruitment which uses pre-programmed algorithms and criteria.

Automated decision-making often involves profiling, but it does not have to.

Example

An examination board uses an automated system to mark multiple choice exam answer sheets. The system is pre-programmed with the number of correct answers required to achieve pass and distinction marks. The scores are automatically attributed to the candidates based on the number of correct answers and the results are available online.

This is an automated decision-making process that doesn’t involve profiling.

What are the benefits of profiling and automated decision-making?

Profiling and automated decision making can be very useful for organisations and also benefit individuals in many sectors, including healthcare, education, financial services and marketing. They can lead to quicker and more consistent decisions, particularly in cases where a very large volume of data needs to be analysed and decisions made very quickly.                           

What are the risks?

Although these techniques can be useful, there are potential risks:

  • Profiling is often invisible to individuals.
  • People might not expect their personal information to be used in this way.
  • People might not understand how the process works or how it can affect them.
  • The decisions taken may lead to significant adverse effects for some people.

Just because analysis of the data finds a correlation doesn’t mean that this is significant. As the process can only make an assumption about someone’s behaviour or characteristics, there will always be a margin of error and a balancing exercise is needed to weigh up the risks of using the results. The GDPR provisions are designed to address these risks.

Further reading

The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

WP29 adopted guidelines on automated individual decision-making and profiling – Chapter II, which have been endorsed by the EDPB.