In detail

Is this a significant change?

Yes, the GDPR introduces a new definition of profiling. It also restricts solely automated decision-making with legal or similarly significant effects.

“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly affects him or her”

Article 22(1)

You can only carry out this type of automated decision-making when it is:

  • necessary for the entry into or performance of a contract;
  • authorised by Union or Member State law; or
  • based on the individual’s explicit consent.

You also have a responsibility to:

  • actively inform the data subject about profiling and automated decision-making;
  • put suitable safeguards in place when you carry out this type of processing; and
  • introduce procedures for individuals to exercise their rights.

Additional restrictions apply for special category data and automated decision-making involving children.

What’s different from the 1998 Act?

Individuals had a right to be informed about automated decisions that significantly affected them but generally you could carry out this type of processing unless you received an objection. Individuals could use their rights under section 12 of the 1998 Act to:

  • serve notice requiring you not to take any automated decisions using their personal data; and
  • ask you to reconsider a decision taken by automated means.

These rights didn’t apply if the effect of the decision was to grant the individual’s request.

Why the change in the law?

Large numbers of organisations now carry out profiling or take significant decisions about individuals by wholly automated means. These technologies can be used in ways that have a considerable impact on people’s lives.

Organisations don’t just collect data directly from individuals, but from a wide range of other sources. This makes it less obvious to someone that their personal data is being used:

  • to profile them;
  • in a solely automated decision-making process; or
  • in ways that have an unanticipated effect.

The GDPR provisions don’t just focus on reviews of automated decisions, or human involvement. They aim to address the risks from this type of processing by introducing new transparency requirements and higher protection for individuals.

What changes do we need to make?

  • Documenting your processing activities will help you identify whether your processing falls under the definition of profiling and automated decision-making.
  • If your processing involves profiling and significant automated decision-making you should carry out a Data Protection Impact Assessment (DPIA). This can help you decide whether Article 22 applies, the risks associated with the processing and how you are going to address them.
  • You must include specific details about this type of processing in your privacy information.
  • Ensure you have procedures in place to allow challenges from individuals and an independent review mechanism. You might be able to adapt any processes you already have in place to handle section 12 objections under the 1998 Act.