The ICO has published a request for feedback on the GDPR rules on profiling and automated decision making. They say it's not guidance and just initial thoughts but we think it is a good steer on what the ICO thinks are the key issues. You can respond with feedback to the ICO by 28 April or just use this to "issue spot". Both would be a pretty good use of time.

Key points:

  • Don't be fooled by the "legal / similar effects" threshold in Art 22. The general GDPR rules will affect lots of business operations which involve profiling. This is not just about profiling having "legal effects" like e-recruitment.
  • Consider the risk of unfair discrimination. How do you ensure your profiling is fair. How does that algorithm actually work? Check out "Weapons of Math Destruction" by Cathy O'Neil. What is an acceptable error rate for inferences?
  • Think about raw input and output data and how to apply GDPR rights and obligations to each tranche.
  • How do you validate compliance where some/all of the process is carried out by a third party / vendor? All the fairness, transparency and data hygiene rules apply.
  • Consent is mentioned as a legal basis but won't work unless there is a genuine free choice as per the recent ICO consultation.
  • Beware of inadvertently generating special category data. This usually requires explicit consent.
  • Consider practical steps like identifying the "logic" of the legal effects decisioning in privacy policies and in response to DSARs.
  • Get ready to justify profiling if someone exercises their right to object. The other rights also apply of course.
  • Consider algorithmic auditing, seals, codes of conduct and ethical review boards to underpin profiling safeguards.
  • There will be a wide range of profiling requiring a DPIA: includes location tracking, loyalty programmes, and OBA as well as more obvious ones like credit scoring. DPIAs also apply to partly automated profiling with legal/similar effects. So this goes wider than the rules in Art 22 which only applies to decisions solely by automated means.
  • Do not profile children where this has legal/similar effects and is solely automated. This is a prohibition.
  • ICO to publish guidance on children's data later this year (to cover gateway conditions / age verification / parental authorisation).

For more information, visit our Privacy and Cybersecurity blog at www.privacyandcybersecuritylaw.com

About Dentons

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.