New rules from GDPR will limit the use of fully automated data processing

30th October 2017Laptop with pie-charts and graphs on the screen.

The General Data Protection Regulation (GDPR), which all UK organisations will need to be compliant with by May 2018 has created a lot of uncertainty, not helped by the ambiguous nature of some of the legislation wording. In an attempt to shine light on these areas, regulators and official bodies are issuing clarification statements and guidance.

One set of guidance concerns the rules on automated decision-making and profiling. Issued by the Article 29 Working Party (A29WP), which is the advisory group made up of representatives from all EU Member State data protection regulation authorities. It states how these guidelines will affect businesses and how you can be sure that you are not at risk of being fined by the ICO.

Based on these new guidelines, your business will not be allowed to use fully automated processing of personal data, unless you can prove that you have full consent or that it is necessary for a particular reason.

This is contradictory to the legislation itself, which does not prohibit processing, and is a worrying trend of the regulators to be over-zealous in their interpretation of the GDPR.

The ICO guidance of profiling defines it as “Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person”.

According to the A29WP, this also means that targeted advertising may considerably impact individuals depending on the circumstances of the case and in consideration of the following attributes:

• The intrusiveness of the profiling process
• The expectations and wishes of the individuals concerned
• The way the advert is delivered
• The vulnerabilities of the individuals targeted

If advertising activity was to make decisions which significantly affected an individual, then it would be prohibited. To use data processing in advertising practices, consent would need to be obtained explicitly which is already a difficult process without extra and stricter guidelines.

The GDPR will come into effect on the 25th May 2018 and will affect thousands of UK businesses if they are not aware or do not put practices in place to comply with GDPR guidelines.

There are several things you can do to ensure you are compliant with the GDPR, including:

• Identify any vulnerabilities and risks
• Ensure your marketing activities are compliant
• Protect against data loss, sanctions and monetary penalties
• Educate your staff on the regulation’s requirements
• Allocate a budget to facilitate compliance
• Appoint a Data Protection Officer

CHOICES – Do you follow the legislation or Regulator Guidance?

The above demonstrates that both our ICO and the A29WP are interpreting the GDPR legislation in stricter ways than the legislation would appear to intend.

For example, page 30 of the ICO Consultation on GDPR Consents states:

What information should you include? (in Privacy or Fair Collection Notices?)

Consent must be specific and informed. You must as a minimum include:
• the name of your organisation and the names of any third parties who will rely on the consent – consent for categories of third-party organisations will not be specific enough;
• why you want the data (the purposes of the processing);
• what you will do with the data (the processing activities); and
• that people can withdraw their consent at any time. It is good practice to tell them how to withdraw consent.

However, Articles 13(e) and 14(e) of the GDPR clearly states that when advising the Data Subject of the important factors relating to the processing of their data, the Data Controller should include:

e) the recipients or categories of recipients of the personal data, if any;

This is wholly contrary to the ICO draft guidelines, and further reinforces the tougher stance being adopted by Supervisory Authorities, however, it is a braver man than I that would argue this in court.

We urgently need clarification from the Regulators or in due course, the Courts on those undefined definitions and phrases within the legislation, such as ‘Large Scale’ and on these ambiguous areas.

Who will win in the oncoming battle, Controllers who interpret the law strictly, or the Regulators with their overzealous interpretations?

Watch this space.

Griffin House Consultancy are here to provide you with all the training and knowledge your company needs to comply with GDPR. If you would like more information on how to protect your business, please contact us on 01673 885533 or email [email protected]


Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.

    Your Contact Details

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.