Judith Eis, a DPO consultant at GRCI Law, writes:
With the popularity of automation, artificial intelligence, algorithms, and tracking and targeting of personal information, data controllers are increasingly interested in ADM (automated decision-making) and profiling.
The prevailing idea is that implementing ADM and profiling in business processing activities could reduce costs, speed up operations and increase revenue. However, before implementing such processing, organisations must address the inherent risks.
Article 22 of the GDPR (General Data Protection Regulation) sets out the requirements for ADM, including profiling, as a specific decision-based means of processing personal data through automated technology.
However, data subjects have the right to be exempt from these processes unless the processes are within the performance of a contract, authorised by an EU or UK law that otherwise obligates the data controller, or the data subject has provided explicit consent to receiving an automated decision.
But what is profiling?
Article 4 of the GDPR defines ‘profiling’ as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.
It isn’t difficult to understand why organisations would be interested in capturing as much personal data as possible to generate revenue from its use. Often, once data is harvested, it can also be amalgamated and aligned with set parameters for further processing, such as profiling an individual to target or market to.
It can also be packaged after it has been provided to align with preset criteria that a data controller can use to make assessments about the individual. Examples include online loan applications and marketing surveys that end in conclusive results or determinations about the individual.
We see these tactics appearing as new apps, websites and software entering the digital economy.
Mechanisms that collect valuable data are attractive as ‘doorways’ to predicting an individual’s personal preferences and interests. This access creates the potential to secure economic opportunities for company profit. In general, targeting individuals for such business purposes is not inherently egregious, however, it does require a risk-based approach.
The 12 basic principles for ADM
The ELI (European Law Institute), an independent non-profit organisation established to provide practical guidance within European legislation, describes ADM as having the following 12 basic principles:
- ADM and profiling must be compliant. Organisations using or wishing to use ADM must first review and meet their compliance requirements.
- ADM should not be denied legal effect, validity or enforceability simply due to its automated nature.
- The decision taken by the controller is attributable directly to the controller, who is accountable for its compliance.
- Unless decisions are exempted, it should be made clear to data subjects when such decisions are determined by automation.
- Decisions should be traceable through the components of the associated processing flow.
- ADM should not be arbitrary but involve logic and reasoning.
- An understanding that users or operators may be subject to risk of damage or harm.
- ADM must not inhibit fundamental rights. An alternative human-based process must be offered so that rights can be exercised.
- ADM should involve human oversight of the operations.
- ADM should include human review of risk and applicable laws.
- ADM should be transparent so that users understand the risks of using ADM systems and be prepared to accept outcomes.
- Each principle should be applied to the details of the specific operations with a risk-based approach.
How does this align with the ICO?
The UK’s ICO (Information Commissioner’s Office) has a similar way of assessing ADM processing. However, the ICO places an emphasis on the rights of the data subject and encourages the controller to risk assess its processing activities to ensure the appropriate measures are in place to protect data subject rights.
The ICO explains that this type of processing is “considered to be high-risk [so] the UK GDPR requires you to carry out a Data Protection Impact Assessment (DPIA) to show that you have identified and assessed what those risks are and how you will address them”.
It reminds data controllers that restrictions apply. They must allow for human intervention in the decision phase, take specific measures to refrain from bias and discrimination, prevent error, and provide users the right to appeal the decision. Overall, this involves a thorough assessment of the systems involved and adherence to legal requirements and UK GDPR principles
As the ICO notes, ADM is inherently high-risk processing. The data involved in this processing often calls for the data subject to divulge sensitive or confidential data that may be restricted by regulation and require additional safeguarding measures.
Keeping data safe
Data controllers must demonstrate they have the appropriate documentation in place to support the processing activities.
These organisations must be prepared to implement various risk management activities including those to document restricted or cross-border transfers of data.
These requirements will need to be recorded within an organisation’s privacy framework and be routinely monitored to provide assurance. There is an element of risk versus reward when opting to implement ADM.
It is also critical to conduct a gap analysis of processes as there could be deficiencies in data flows that will require remediation. There may even be undetected embedded processes that will require the appropriate risk evaluation and support to align with regulatory requirements.
The Article 29 Data Protection Working Party drafted Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (wp251rev.01), which provide “good practice” recommendations for data controllers to use to safeguard personal data processed using ADM. They advocate using privacy certifications, audits, codes of conduct, ethical review boards and consultants to monitor compliance.
It is safe to say there is a consensus among regulators, and clarity in legislation, that makes proper due diligence essential for ADM processing compliance.
It is critical to ensure the appropriate safeguarding of personal data within workflows and that transparency is established so that data subjects are informed and can exercise their rights. Both data controllers and data subjects must also understand the risk implications involved.
GDPR Advice Service
Get quick answers to your critical GDPR questions with our GDPR Advice Service.
Our expert GDPR compliance and data privacy consultants can help you address tricky privacy issues such as subject access requests, data breaches and records of processing activity.