top of page
Laptop keyboard, coffee, sticky notes, and pencils on wood background
Search

GDPR Profiling with Data Vault

Do You Believe You Don't Engage in Automated Profiling under GDPR?


Profiling involves making automated decisions based on the data you possess about an individual. The availability of data and ease of processing mean that more organizations are likely to adopt profiling, and many may already be doing so to some extent without realizing it. Under GDPR (Article 22), one of the individual’s rights is to avoid being significantly disadvantaged by automated profiling decisions made without human involvement.


Profiling can involve any automated processing intended to predict or assess an individual’s:

  • Work performance

  • Economic status

  • Health

  • Personal preferences

  • Reliability

  • Behavior

  • Location

  • Movements

Individuals do not have the right to avoid profiling altogether, but they should not be disadvantaged by automated profiling. They must be able to seek human intervention, have the decision explained, and challenge it.


How can organizations protect themselves? Consider our checklist below:

  1. Inform individuals that profiling will occur, providing a meaningful description of the logic used and any consequences (e.g., a decision regarding creditworthiness).

  2. Employ robust mathematical or statistical methods to ensure results are justifiable.

  3. Test processes to reduce the risk of discrimination based on sensitive data (such as ethnicity) – proactive sampling is preferable to waiting for complaints.

  4. Ensure appropriate measures to secure personal data.

  5. Implement a process for responding to inquiries and allow for decisions to be reviewed by a human if requested (human oversight may be key in managing compliance with profiling regulations). The subject must have the right to express their viewpoint and challenge the decision.

  6. Correct data or stop profiling if requested by the data subject. There may be “compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject.” (For instance, credit profiling might be essential for the functioning of lending markets, potentially overriding individual interests).

  7. Avoid profiling information related to children.


Additionally, consider these helpful exceptions in the rules:

     a) The profiling is necessary to fulfill a contract with the data subject

     b) It is legally authorized

     c) It is based on explicit informed consent.

As demonstrated by our checklist, compliance is achievable, but it requires sound Data Governance, transparency, and diligence.

bottom of page