The ICO has published a request for feedback on the GDPR rules on profiling and automated decision making. They say it’s not guidance and just initial thoughts but we think it is a good steer on what the ICO thinks are the key issues. You can respond with feedback to the ICO by 28 April or just use this to “issue spot”. Both would be a pretty good use of time.
- Don’t be fooled by the “legal / similar effects” threshold in Art 22. The general GDPR rules will affect lots of business operations which involve profiling. This is not just about profiling having “legal effects” like e-recruitment.
- Consider the risk of unfair discrimination. How do you ensure your profiling is fair. How does that algorithm actually work? Check out “Weapons of Math Destruction” by Cathy O’Neil. What is an acceptable error rate for inferences?
- Think about raw input and output data and how to apply GDPR rights and obligations to each tranche.
- How do you validate compliance where some/all of the process is carried out by a third party / vendor? All the fairness, transparency and data hygiene rules apply.
- Consent is mentioned as a legal basis but won’t work unless there is a genuine free choice as per the recent ICO consultation.
- Beware of inadvertently generating special category data. This usually requires explicit consent.
- Consider practical steps like identifying the “logic” of the legal effects decisioning in privacy policies and in response to DSARs.
- Get ready to justify profiling if someone exercises their right to object. The other rights also apply of course.
- Consider algorithmic auditing, seals, codes of conduct and ethical review boards to underpin profiling safeguards.
- There will be a wide range of profiling requiring a DPIA: includes location tracking, loyalty programmes, and OBA as well as more obvious ones like credit scoring. DPIAs also apply to partly automated profiling with legal/similar effects. So this goes wider than the rules in Art 22 which only applies to decisions solely by automated means.
- Do not profile children where this has legal/similar effects and is solely automated. This is a prohibition.
- ICO to publish guidance on children’s data later this year (to cover gateway conditions / age verification / parental authorisation).