Data analytics can transform GDPR risk assessment on, e.g. Profiling
Your big data analytics on Profiling can have a significant impact on businesses. Given the broad scope, both geographically and materially of the GDPR, and the definition it gives to 'profiling', most businesses must be concerned by these provisions due to the lack of 'profiling' experience.
Currently, there is no legal definition of ‘profiling’ under the current EU data protection law from 1995. The Directive refers to 'automated individual decisions' without explicitly mentioning the word 'profiling'.
Technologies have since multiplied that allow data controllers to gather personal data and analyse it for a variety of purposes, including concluding data subjects and potentially taking action in response to those findings such as target marketing, price differentiation etc.
Article 15 of the GDPR Directive grants “the right to every person not to be subject to a decision which produces legal effects concerning him or significantly affects him. These decisions are solely based on automated processing of data often related to personal aspects such as his performance at work, creditworthiness, reliability, conduct, etc., unless such decision is:
What will the General Data Protection Regulation (GDPR) definition of 'profiling' require?
- taken due to a contract; or
- authorised by law.
'Profiling' is clearly defined under article 4 of the GDPR as "any form of automated processing of personal data, to evaluate certain personal aspects, to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements."
'Profiling' is composed of three elements:
- it has to be an automated processing;
- it has to be performed on personal data; and
- the purpose is to evaluate personal aspects of the EU citizen.
The "monitoring of an individual's behaviour" is further explained under Recital 24 of the GDPR:
“to determine whether a processing activity can be considered to 'monitor the behaviour' of data subjects, it should be ascertained whether individuals are tracked on the internet with data processing techniques which consist of profiling an individual. To take decisions concerning the individual or to analyse or predicting personal preferences, behaviours and attitudes."
Since data analysis software is used to examine every transaction in an entire population of data (e.g., every recorded activity thing that took place within a financial or business process) to determine whether:
- The operation complies with the GDPR control procedures that should be in place.
- There are indications that there are GDPR risks and problems for which no adequate control is in place.
When data analysis and transaction monitoring is done after the fact, it is relatively simple to determine where there are GDPR controls when the transactions is identified and addressed. Control weaknesses that allowed the problem to occur can be strengthened to prevent a recurrence. Transaction analysis and monitoring can become an additional level of GDPR profiling controls, both reinforcing those controls that are already in place and compensating for the restrictions that are either not working efficiently or not in place at all.
Also see article on; The Territorial and Material scope of the GDPR
More on the above issues at our events in the