• Internet and browsing history;

• Education and professional data;

• Data derived from existing customer relationships;

• Driving/location data;

• Buying habits;

• Social network information;

• IoT;

  Long story short version: Profiling is the bread and butter of delivering more targeted, relevant marketing that consumers value. Agencies (acting as Data Processors) and their Customers (acting as Data Controllers) need to ensure that all profiling undertaken has met the core GDPR requirements (stated below in the detailed version).

  This puts an onus on the brand that is engaging with consumers to provide very clear guidance to consumers on what profiling activities are being undertaken to ensure that they are exercising clear transparency onward to the data subjects. The data subjects are going to need to be kept aware of what profiling is being undertaken and for what purpose. It also means that marketing agencies processing consumer data on behalf of the brand need to be able to prove the data processing they have undertaken is what has been communicated to the consumer. In summary, agencies and their customers will need to work even more closely together to ensure compliance.

  Detailed version:

  What the GDPR says: Article 4(4):‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

  Article 22(1): The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

  The ICO has highlighted a study that infers that behaviorally targeted adverts can have psychological consequences and affect individuals’ self-perception. Example: adverts for gyms or diets may make people feel unhealthy and lead to feeling of low self-esteem.

  This should raise alarm bells for organisations and will highlight how the power balance is shifting back towards the data subjects.

  Focus Areas:

• Transparency

  What this means? Consent statements will need to balance the required level of detail with the need to keep them simple and easy to understand. In addition, they will also need to stand up to legal scrutiny. The art of copy writing will be key, alongside legal and contractual writing.

  Requirement for fair processing information: individuals need to understand why their personal data is being processed, and the data is processed to achieve this aim. If individuals are unaware that profiling is taking place, they will find it difficult to exercise their rights around this new data.

• Data Minimisation, accuracy and retention

  Minimisation – Organisations tend to gather as much information as possible, as often profiling algorithms can find new correlations. Under GDPR, organisations must show that the data collected is limited to what is strictly necessary to meet the purpose. Therefore, the purpose of processing/profiling needs to be clearly defined.

  Accuracy – The fourth principle of the data protection act is concerned with accuracy. However, in certain situations the data subject may not want their data to be kept updated. Once again managing this potential conflict will require transparency and informative privacy notices.

  Retention – GDPR does not set specific retention periods for profiles. As profiles tend to be dynamic and evolving, companies need to have mechanisms in place to regularly review that the information held remains relevant for purpose.

  What this means? Businesses will need to prove that data about their customers is at the appropriate level and justified in being retained. Data management technologies that incorporate routines to audit data lineage and apply retention treatments (such as anonymisation, pseudonymisation) will help but only when coupled with appropriate processes and controls.

• Lawful Processing

  Organisations need to consider what their legal basis for processing will be in the context of profiling.

  Consent – freely given, specific, informed and unambiguous – very difficult in case of profiling.

  Necessary for performance of contract.

  Legitimate Interest– Company must demonstrate the profiling is necessary to achieve defined purpose, rather than simply useful.

  What this means? For marketing the key aspect here will in justifying why the profiling is “necessary”, for example would the argument that it’s to enable the business to only send relevant promotions which are highly likely to be taken up, be applicable?

• Information to be Provided to Individuals

  The GDPR specifically requires the controller to provide the data subject with fair processing information about solely automated decision-making (including profiling) that has significant or legal effects (as defined in Article 22(1) and (4)), as well as:

  • meaningful information about the logic involved (categories of data to be used, source of data and why is considered relevant); and

  • the significance and envisaged consequences of such processing (controller should provide information about how profiling might affect the data subject).

    The controller should provide this information at the time the data is first collected from data subjects or within a reasonable period of obtaining the data.

    What this means? Again, the wording of privacy notices and consent statements will key to balance the need to share the appropriate guidance with the data subject to enable them to make an informed decision, without blinding them with detail.

• Rectification and objection to profiling

  Right to rectification – Profiling can involve predictive elements which can increase the risk of inaccuracy. Article 16: Individuals can challenge the accuracy of data used and the profile itself (output).

  Right to Object – To processing. Once a data subject exercises their right to object, the controller must interrupt or avoid starting the profiling process unless they can show:

  “compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.”

  The right to object to processing (including profiling) for direct marketing purposes is set out in Article 21(2) and is absolute (Article 21(3)).

  What this means? To maintain a contactable, engaged audience; marketers will need to convince consumers that direct marketing is worth their while. That means making marketing content more interesting and relevant, which perversely requires a better understanding of the recipient, which in turn needs data and data profiling.

• Implementing appropriate safeguards

• Organisations must also introduce technical and organisational measures to avoid and correct errors and minimise bias or discrimination.

  • Measures to quickly identify and resolve any data inaccuracies;

  • Appropriate security;

  • Specific measures for data minimization and clear retention periods

Gary Arnold- Solution Strategy Director & Giles Kirkham -Information Security Officer, Occam DM Ltd (part of the St Ives Group)