With the General Data Protection Regulation (GDPR) in effect from May 2018, data protection is changing. In the past few weeks, we’ve covered various aspects of the GDPR and the effects for your organisation. This week we look at how the GDPR strengthens individuals’ rights relating to automated decision-making and profiling.
For many larger organisations, some data processing is done by machine with no human intervention. A good example of this is data profiling. The GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular, to analyse or predict their performance at work, economic situation, health, personal preferences, reliability, behaviour, location or movements.
The GDPR strengthens existing safeguards for individuals against the risk that a potentially damaging decision is taken in such a case. Individuals have the right not to be subject to a decision when it is based on automated processing, and if it produces a significant (legal or discriminatory) effect on them. Data controllers must ensure that individuals are able to obtain human intervention and express their point of view on any decision made. In addition, they must be able to obtain an explanation and be able to challenge that decision. However, the right does not apply if the decision is necessary for a contract between the organisation and the individual, or if the individual has given explicit consent. Some such decisions will also be authorised by law, for instance for the purposes of preventing fraud or tax evasion.
Where organisations bulk process data, they need to identify whether any of their processing operations constitute automated decision making. If so, they should consider whether they need to update their procedures to deal with GDPR requirements. When processing personal data for profiling purposes, organisations must ensure processing is fair and transparent by providing meaningful information about the mathematical or statistical procedures involved, as well as the significance and envisaged consequences.
The UK’s data protection authority, the Information Commissioner’s Office (ICO), has published information about profiling and automated decision-making. If your organisation uses data profiling, it’s worth looking at the section on minimising the risk of errors, and implementing measures to enable inaccuracies to be corrected. And as with any element of data protection, you must be able to show that there is a sound business case for you to process this data in this manner.
There’s lots more information on the ICO website about the GDPR Individual Rights. This series of blogs is intended to help you understand the potential effects on your business. Our next blog in this series will look at transferring data outside Europe, which may now be especially relevant given ongoing Brexit talks.
With CAS you can meet your new data protection responsibilities under the GDPR. Whether it’s our document storage or scan-on-demand services, we’ll keep your data safe and secure. And if you use our office removal and data disposal services, data protection is always a primary consideration for us. Call one of the CAS team now if you’ve got any questions about any of our services.
CAS provides comprehensive and secure document digitisation, information storage and facilities management services. For more than 20 years CAS have worked with NHS Trusts, Financial Services providers, and corporate and private clients. Our head office is just four miles from the City of London, supported by our advanced storage centres across the UK. CAS has an impressive array of International certifications (ISOs), which prove our compliance with the strictest national, European and international laws. They also demonstrate our commitment to provide innovative systems on security, confidentiality and quality control in keeping your files safe and well managed. CAS, offering 20 years of secure document storage in London.