Profiling is a very useful tool which marketers have been using for decades to understand their customers better and to target them appropriately. However, the GDPR does make some changes to how profiling is considered which should be considered carefully before profiling is undertaken. For the first time, profiling has been included with automated processing decision-making and the same rights apply to the individuals whose information is being profiled. So how does this affect businesses?
There are obvious benefits both to businesses and consumers in relation to profiling, which is used in a broad number of sectors from healthcare to insurance, retail to publishing, leisure to recruitment.
It is also an extremely useful tool for marketers, providing benefits of increased efficiency, savings in resource, and the financial and reputational benefits of understanding customers and establishing more personal, relevant communications with them. The customer or individual benefits in turn from receiving fewer communications, and far more relevant messages.
What is profiling?
The GDPR defines profiling as: “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”
Profiling can be as simple as segmenting your own customers into groups based on gender, purchase history, and other data that the customer has provided to you during your relationship. It becomes more complex when additional data is added to the mix, for example, adding to the information your customer has provided you, by applying data from external sources such as social media, or providers of geo-demographic or lifestyle data.
Profiling and the GDPR
As with all processing under the GDPR, those who profile individuals have responsibilities to those individuals. Profiles must be accurate, relevant, and non-discriminatory. All 6 GDPR Principles become critical as profiles are evolutionary, and over time, individuals’ profiles will change. So accuracy and retention are critical. Privacy by design is key. As is the requirement that individuals must be made aware of such profiling and of their right not to be subject to such decisions.
It’s worth noting that automated decisions can be made with or without profiling. And the reverse is also true – profiling can take place without making automated decisions. It’s all a matter of how the data is used. Where manual decisions are made, Article 22 does not apply.
Consent or Legitimate Interests?
The legal basis under which profiling takes place is a matter for careful consideration. There has been debate over whether profiling requires the consent of the individual who is being profiled, or whether legitimate interest may apply.
There will be instances where the impact of the profiling will have a legal or significant effect – for example, in financial services (mortgage yes or no), or when marketing to vulnerable customers – for example, gambling products to those in financial difficulty. Where profiling is considered to have a legal or significant effect, an organisation will need to rely on the legal basis of Consent before profiling and making decisions on the basis of such profiling.
However, in many cases, marketing will not have such an impact, and in those cases, consent will not be required. Instead it may be possible to rely on Legitimate Interests. BUT before such a decision is made, a Legitimate Interest Assessment will need to be conducted. This will need to consider the necessity of the profiling, the balance of benefits to the individuals versus the business, and the measures taken to protect the personal data and profiles involved.
The Legitimate Interest Assessment will not only help you determine whether it is appropriate to conduct the profiling on this basis, it will also provide evidence that the individuals’ rights have been considered, contributing to the business’s need to meet the GDPR’s new principle of Accountability.
Victoria Tuffill 7th March 2018