As we wait for confirmation on the exact details of the new General Data Protection Regulations (GDPR), we’ve been looking at the impact of the proposed regulations on profiling.

On the face of it it’s quite scary to think that the marketing industry will no longer be able to gather information and analyse people’s characteristics or behaviour patterns to predict actions or tailor messages. It will literally turn marketing on its head. So, do we go back to generic messages, meaningless to the consumer and a waste of money for businesses? We hope not!

 

The devil is in the detail

When you read all the proposals and put yourself in the shoes of the customer, you can actually see why it’s not quite as bad as first thought.

Everyone is in agreement that profiling can be positive. Everyone prefers more relevant, personalised communications. I’ve never met anyone that wants more spam or junk mail. But profiling can actually pose various risks and be unfair. too. Think about automated decision making when it comes to profiling. What if you get refused a credit application online because the algorithm says so rather than considering all the other factors?

Another example is profiling someone as a lucrative target for gym membership. Perhaps they do other sports, perhaps they do nothing, but a local gym wants them to join. If they’re struggling with self esteem or weight issues, (how would the gym know), then they’re suddenly bombarded with messages to join the gym to get fitter and thinner, what impact could that have on them?

So when you look at it like that, it’s not really fair to make a decision about someone that could have a significant impact on them, play into existing stereotypes or social segregation – maybe it’s not such a bad idea to make improvements?

 

So what does the GDPR propose?

Well as with everything at the moment it’s a bit unclear. The DMA have published their response to profiling which you can read here: DMA’s GDPR profiling feedback

Under the GDPR, profiling is defined as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.

Article 22 of the Regulation provides people with a qualified right “not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her”.

So while profiling can be positive or negative the GDPR wants to minimise the risk of someone being adversely affected by profiling and automatic decision making. Nothing wrong in that. They also give people the right to object at any time to profiling, this includes for direct marketing.

  • The  ICO points businesses towards its privacy notices code of practice for guidance on how they can best present information about profiling to ensure the processing of their personal data is fair.
  • The ICO also warns businesses engaged in profiling that they must ensure that the personal data they are working with is accurate.
  • The DMA will advise members to follow the DMA code, other provisions of the GDPR, in particular carrying out data protection impact assessments when it comes to profiling.

But until we have complete clarity on what falls inside and outside of Article 22, we won’t really know exactly what we need to do. Watch this space.