Charities should not use fully automated processing of personal data unless they can show they have explicit consent or that it is necessary for fulfilling a contract, according to new guidance on profiling under the General Data Protection Regulation from the Information Commissioner’s Office.
The EU’s GDPR will come into force on 25 May and will introduce stricter requirements for organisations that process data than are currently required under the Data Protection Act 1998.
The new guidance from the ICO on profiling defines it as "any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person".
The guidance does not allow for fully automated individual decision-making except in certain cases.
The data controller cannot get around this by fabricating human involvement, according to the guidance, and the human’s oversight of a decision must be "meaningful", rather than token, and have the authority and competence to change the algorithm’s decision if necessary.
There are exceptions to this, the guidance says: when it is necessary for the performance of or entering into a contract; when authorised by the EU or the member state the data controller is a member of; or when it is based on the data subject’s explicit consent.
Profiling must be shown to be necessary in the performance of a contract to meet the first exception, according to the guidance, including consideration of whether any less intrusive methods can be adopted.
Targeted online advertising is also covered by the guidance, which says that it could have a "significant effect" on individuals depending on certain characteristics of each case, such as the intrusiveness of the profiling process involved, the expectations or wishes of the individuals concerned, how the advert is delivered and the "particular vulnerabilities of the data subjects targeted".
Data controllers should also be aware of their transparency obligations, the guidance says, including ensuring that information about the profiling is both easily accessible for the data subject and brought to their attention.
The guidance says that profiling can involve the use of personal data that was originally collected for another reason, but will depend on a number of factors, including the context in which the data was collected, the expectations of the data subjects regarding its future use, any safeguards applied and the impact of further processing on the data subject.
Data has to be kept accurate and up to date, the guidance says, explaining that keeping personal data for too long increases the risk of inaccuracies.