Automated Decision Making

Context:

Article 22 of the GDPR puts in the place the following right for individuals:

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling…

Considerations:

It is therefore a requirement for controllers and processors of personal data to put in place processes and policies to ensure that this right is met.

It is important to note that automated processing, decision making and profiling is permitted under the GDPR but certain provisions are needed if processing of this type is carried out.

These provisions include control of the automation and profiling so that it can be paused or stopped if needed, a clear description of the profiling or automation so that the data subscject is able to make informed decisions and the ability for a human to be involved if required.

How to:

Implement the following systems and process to ensure that individuals are able to exercise their right not to be subjected to automated decision making or profiling:

  • Identify those instances where automatic decisions about an individual are made
  • Identify any instances where data on an individual is aggregated
  • Identify any profiles, personas or typing used within your organisation and the processes within which these are used
  • When collecting information or consent from an individual, tell them about how you will use data to make automatic decisions about them
  • Explicitly tell the individual that they have a right not to have automated decisions made about them
  • Have a process in place to provide details on the logic used to make decisions on an individual at their request
  • Have a process in place and have identified those responsible for performing a manual intervention in any automated processing
  • Have a process in place to be able to stop any automated process which makes decisions on an individual

Common Scenarios:

A credit decision is made using a rating service

  • When collecting information you should inform the individual that you are passing their details to the credit rating service. You should also tell them that their information will be used to create a profile at that service and that a decision will be made according to this profile. If the individual requests it, you should tell them how this profile is constructed and what logic is used in making any decision to allow them credit.

New membership enquiry

  • When assessing a new application for membership you should inform the individual that you will be aggregating data to construct a profile and that that profile will be used as a basis for making a decision on their membership. You should have a process to explain your decision making criteria and request consent from the individual to make a decision in this manner. Also have in place a nominated person (or role) who will intervene and manually work through the process should the individual request it.

References:

  • GDPR Recitals: 24, 30, 39, 50, 60, 61, 63, 70, 71, 72, 75,
  • GDPR Articles: 13, 14, 15, 21, 22

How Gydeline helps

We, at Gydeline, help small and medium sized organisations save money and time by building systems, processes and policies that simplify their business and support their sustainability aims.  We do this with a range of services.

If you would like to discuss any aspects of dealing with this and other risks in your business we are always happy to offer some, free, no obligation assistance – just contact us.

Related Posts