GDPR has some specific rules about how you treat data processed automatically and the rights that data subjects have when you process their data. You need to think carefully about whether your processing counts as ‘automated profiling’ and ensure you have appropriate controls in place. The GDPR defines profiling as:
"any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements."
Organisations may obtain personal information about individuals from a variety of different sources. Examples of the types of data organisations might collect, include:
- Internet searches
- Buying habits
- Lifestyle and behaviour data gathered from mobile phones
- Social networks
- Video surveillance systems
- Internet of Things
You are carrying out profiling if you:
- Collect and analyse personal data on a large scale, using algorithms, AI or machine-learning
- Identify associations to build links between different behaviours and attributes
- Create profiles that you apply to individuals
- Predict individuals’ behaviour based on their assigned profiles
If this is you then please get in contact. We can help ensure you meet GDPR requirements.
Good luck all!