What you need to know about the difference between profiling and automated decision-making

There is a clear difference in the General Data Protection Regulation (GDPR) between profiling, which is classified as automated processing, and automated decision-making.

The GDPR describes profiling as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

Automated decision-making is another concept under the GDPR and it may overlap with profiling. There is no specific definition in the GDPR however it is explained more clearly in the guidelines that were published by the data protection working party (WP 251).

Automated decision-making is the ability to make decisions by technological means without human involvement.

Profiling and automated decision-making in marketing

So, in marketing (and it actually applies to all other processing activities) you should look at differentiating following concepts:

1. General profiling: e.g. segmentation, which under GDPR is classified as a ‘normal’ processing activity.
2. Non-automated decision-making based on profiling: e.g. you decide that your target audience for your next campaign are ‘women between 30 and 40 who live in Belgium’. Also a ‘normal’ processing activity.
3. Automated-decision making: e.g. you use an algorithm for predictive analytics that will tell you which women between 30 and 40 living in Belgium will probably cancel your service before the end of the year and this list is uploaded in your marketing automation software. Which is a specific category of processing with specific conditions to be taken into account.
   
   

What does the GDPR say exactly and what does it mean for marketers?

Now things are going to get a little more confusing, so stay focused… I will refer to some articles under the GDPR, so if you want to read them more in detail you can find the reference. Just do me one favour, don’t make the mistake many people do when they read just parts of the GDPR; you will not get the full scope unless you read the entire document. I have been reading and re-reading all these articles and guidelines for over a year now, (yes, I even walk around with a copy of the GDPR… I know… no comment) and I’m still very glad that Ingrid De Poorter of De Groote De Man is my legal safeguard in all these matters to check whether I understood correctly.

Ok, let’s get back to the law.

Let’s first look at level III – automated decision-making.  Article 22 describes what applies to these types of processing:

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

The important words to remember here are ‘solely’ AND ‘legal effects’ OR ‘similar significant effect’.

So, in plain language: it is about automated decision-making without any human intervention (think algorithms, AI, machine learning, predictive / prescriptive analytics), which has an impact on someone’s legal rights (for example your right to access all kind of services & products). But also, if it affects the person in a similarly significant way as their legal rights (think differentiated pricing modules based on your behaviour).

Under GDPR this type of automated decision-making is possible if:

1. It is necessary for the performance of entering into a contract
2. It is authorised by Union or Member State law
3. It is based on the explicit consent of the data subject

Should your processing fall under one of these three exceptions, you are allowed to continue processing. However, don’t forget that all of the other articles of the GDPR still apply to this type of processing and some will require more attention (art 13, 14, 15).

If you continue to process because it is necessary for a contract or because you obtained explicit consent, don’t forget that your customers can always request human intervention, can ask to express their point of view or can contest the decision.

The following additional notions are also important to take into account:

1. Special category data: if this kind of personal data is involved, you are only allowed to have an exception based on explicit consent or the processing is necessary for a public interest or based on Union or Member state law.
   
   
2. Establishing appropriate safeguards: if you use one of the exceptions (also for special category data) you will need to provide ‘suitable and specific measures to safeguard the fundamental rights and interests of the data subject’. In plain language, this means you need to be as transparent as possible. So, in your privacy statement, you should mention this automated processing and explain the data you will use and the logic behind it (no, you do not need to disclose your algorithms). And you will also need to explain the consequences of this automated decision-making, which is encouraged to use examples.

So, let’s take a concrete example:

You are a customer of an energy provider that uses segmentation in which all customer with ‘late’ payments are grouped into the ‘High Risk’ segment. You decide to develop an algorithm that predicts within this segment who will probably end up in a litigation service.

For people in this segment, you decide to:

1. Monitor them more closely regarding payment of their bills. And ask your customer service department to contact them earlier in the debt collection process than other customers.

OR

2. Automatically increase their monthly fee

OR

3. Automatically disconnect them from your services for breach of contract

In case 1, you are doing automated decision-making based solely on automated processing, but without any legal effect or similar significant effect. In case 2, you are doing automated decision-making based solely on automated processing, but with a similar significant effect. In case 3, you are doing automated decision-making based solely on automated processing, but with a legal effect. 

So cases 2 and 3 fall under the provisions of article 22. Case 1 does not have any other restrictions because profiling, which as we described earlier, is a ‘normal’ data processing activity where all standard articles apply.

So, as a step-based approach, go through following checklist for your marketing activities:

Conclusion

Although I have tried to explain a lot of concepts in one article, there are still some specific notions to consider when you speak of profiling and automated decision-making. Most of the information in this article is based on the guidelines published by the WP29  (WP 251).  If your marketing activities include one of the concepts explained above, I strongly recommend you read these guidelines and all of the underlying reference sources. It will give you a complete overview of what is needed and intended under the GDPR.

This specific concept is why I keep stressing that marketers should make sure that they are invited as early as possible to join the discussion about how to implement GDPR. Only a marketer knows its own data-driven marketing activities and needs to understand these principles to be able to continue this data-driven marketing strategy. 

You need to realise that the GDPR has not been written to allow the legal and compliance department decide on data protection.  It is intended to make the business aware and responsible that when dealing with personal data, you need to reflect on what you are doing. And this concept is the perfect example of that statement.

However, if you still feel lost after reading this article and after reading the GDPR and the guidelines published under GDPR, don’t hesitate to reach out.