The ICO has published a request for feedback on the GDPR rules on
profiling and automated decision making. They say it's not
guidance and just initial thoughts but we think it is a good steer
on what the ICO thinks are the key issues. You can respond with
feedback to the ICO by 28 April or just use this to "issue
spot". Both would be a pretty good use of time.
Don't be fooled by the
"legal / similar effects" threshold in Art 22. The
general GDPR rules will affect lots of business operations which
involve profiling. This is not just about profiling having
"legal effects" like e-recruitment.
Consider the risk of unfair
discrimination. How do you ensure your profiling is fair. How does
that algorithm actually work? Check out "Weapons of Math
Destruction" by Cathy O'Neil. What is an acceptable error
rate for inferences?
Think about raw input and output data
and how to apply GDPR rights and obligations to each tranche.
How do you validate compliance where
some/all of the process is carried out by a third party / vendor?
All the fairness, transparency and data hygiene rules apply.
Consent is mentioned as a legal basis
but won't work unless there is a genuine free choice as per the
recent ICO consultation.
Beware of inadvertently generating
special category data. This usually requires explicit consent.
Consider practical steps like
identifying the "logic" of the legal effects decisioning
in privacy policies and in response to DSARs.
Get ready to justify profiling if
someone exercises their right to object. The other rights also
apply of course.
Consider algorithmic auditing, seals,
codes of conduct and ethical review boards to underpin profiling
There will be a wide range of
profiling requiring a DPIA: includes location tracking, loyalty
programmes, and OBA as well as more obvious ones like credit
scoring. DPIAs also apply to partly automated profiling with
legal/similar effects. So this goes wider than the rules in Art 22
which only applies to decisions solely by automated means.
Do not profile children where this
has legal/similar effects and is solely automated. This is a
ICO to publish guidance on
children's data later this year (to cover gateway conditions /
age verification / parental authorisation).
Dentons is the world's first polycentric global law firm. A
top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm
is committed to challenging the status quo in delivering consistent
and uncompromising quality and value in new and inventive ways.
Driven to provide clients a competitive edge, and connected to the
communities where its clients want to do business, Dentons knows
that understanding local cultures is crucial to successfully
completing a deal, resolving a dispute or solving a business
challenge. Now the world's largest law firm, Dentons'
global team builds agile, tailored solutions to meet the local,
national and global needs of private and public clients of any size
in more than 125 locations serving 50-plus countries.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances. Specific Questions relating to
this article should be addressed directly to the author.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Join our partners Karen Martin and Ryan Chalmers at the Pacific Business & Law Institute’s program, where they will be presenting a session titled "Procurement: Compliance with AIT, NWPTA, TILMA, NAFTA, TPP, CETA and the Statutes." This forum assembles leading government advisors to provide insights on key issues in local government today.
Employee turnover is an unavoidable reality for nearly all businesses. In addition to creating a number of financial and logistical difficulties, employee turnover also raises a number data security issues.
The Office of the Privacy Commissioner of Canada has ruled that the collection and use of a plaintiff's personal information for the purpose of defending against a civil lawsuit is not a "commercial activity" and, ...
While corporate executives are increasingly becoming aware of their obligation to be informed of cybersecurity threats and the steps being taken by their company to prevent data breaches, it is equally important for executives to ensure that the employees are educated with respect to cyber threats.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).