The Information Commissioner’s Office (ICO) has issued a feedback request to UK businesses on profiling and automated decision making. The paper is not a consultation nor intended as formal guidance but discusses aspects of the new rights and obligations under GDPR relating to profiling, that the ICO feels need further consideration. Feedback can be submitted any time before 28 April 2017.
Profiling under the General Data Protection Regulations (GDPR) is “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.” (Article 4(4) GDPR).
The ICO’s interpretation of this definition is that it includes the analysis of personal aspects, as well as processing that has a “predictive element” about individuals’ ability to perform tasks, interests or likely behaviours. The paper sets out a number of questions requesting feedback on matters such as when and how organisations are carrying out profiling and whether such profiling does include a predictive element.
The paper also highlights some of the benefits and risks of profiling, including, for example, better market segmentation on the one hand and potential infringement of fundamental rights and freedoms on the other hand. The GDPR also provides limited examples of activities where automated processing (such as profiling) can have “significant effects” on individuals, for example, an automatic refusal of an online credit application.
Businesses are encouraged to submit their feedback on the questions posed in the paper by the deadline of 28 April 2017, which will assist the ICO with the UK’s contribution to the Article 29 Working Party guidelines on data profiling to be published later this year.
If you have any further questions please contact Sarah Williamson on [email protected].
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.