Automated decision making and profiling report

Context:

In order to prove that your organisation meets the requirement to not subject data subjects to decisions based solely on automation of profiling you need to be able to report how those decisions and profiles are created.

This requirement is further enshrined by the right of access which gives individuals the right to be informed of how you are using data about them.

Considerations:

Where you have any automated workflows of amalgamations of data you should check if this consitutes either automation or profiling. Where you group users together or tag them this could be considered a profile. If you further use this grouping to make a decision then you need to identify this fact.

As part of an investigation, the supervisory authority may request to see details of how automated decisions are made and how profiles are constructed.

How to:

Understand what profiles you have
  • Do you group individuals or users together in any way?
  • Do you tag them the same? Do you apply any rules to a group of individuals?
  • Do you process information about individuals en mass?
  • Does you use a questionnaire of any type to build a profile of a person?
  • Do you track habits and then use that information to group people?

If any of the above are true you should document these scenarios and be able to explain these uses to the individual in clear, explicit language.

Understand which automated decisions you make

Do you use information held on an individual to make decisions? Are these decisions made by software or a system? Are these decisions made by a person based on criteria you have already defined? If any of these are true you should be able to explain the logic behind each of these decisions and do so in a way that is clear and understandable by the individual.

Have processes in place

In order to meet the requirement your organisation needs to have 2 things in place:

  • A process to accept and respond to requests about automated decisions and profiles
  • A report which describes how these decisions are made – this report detailing the information captured, how profiles are constructed and the criteria and logic used to make decisions about individuals

Common Scenarios:

An individual asks to see what information you hold on them

  • This request which the individual is entitled to make under the right of access should not only contain the information you collect, but also the purpose of the processing and a report on how decisions are made about them

An individual asks what is done with data about them

  • Have a process to tell the individual what data is held and how that data is used to make decisions. If that information is also used to create a profile, an explanation of how that is done.

References:

  • GDPR Recitals: 24, 30, 39, 50, 60, 61, 63, 70
  • GDPR Articles: 15, 21

How Gydeline helps

We, at Gydeline, help small and medium sized organisations save money and time by building systems, processes and policies that simplify their business and support their sustainability aims.  We do this with a range of services.

If you would like to discuss any aspects of dealing with this and other risks in your business we are always happy to offer some, free, no obligation assistance – just contact us.

Related Posts