Data profiling: is it fair game?

Mention data protection compliance to most people and they may think of safeguarding CRM databases and displaying a privacy policy – but evolving technologies and media platforms involve a lot more data collection and usage than may initially be apparent.

GDPR provides a broad definition of ‘profiling’, encompassing evaluation of data and behaviours to analyse and predict how people may act. Drawing these inferences and assumptions can prove very useful tools, but activities such as targeted online advertising and classifying people based on data held about them, will all be considered forms of profiling. For example, does the same in-game advertisement appear to all players, or is it tailored to what the provider may know that individual player has purchased previously or what they may have been searching on their device?

Transparency is one of the key principles of GDPR, as Facebook, Cambridge Analytica and other media platforms have experienced with very public enquiries. So any profiling activity should be declared as part of the mandatory information given in privacy policies. Consider also what the appropriate lawful basis is for any profiling activity: the transparency issue may mean that ‘legitimate interests’ is not available, particularly where users are unlikely to anticipate certain profiling methods. The only approach may therefore be to gain opt-in consent – a must if any of the data used falls into the sensitive sub-class of ‘special category data’. A data protection impact assessment at the outset of a new project can help identify risks and how best to mitigate them (and is a legal requirement for any processing considered to be high risk).

Profiling activity often relies on cookies and similar technologies. If such tools are used, you should provide clear and comprehensive information to explain their use. It is also necessary to gain explicit consent prior to setting all but strictly necessary cookies, or the use of those tools will constitute unlawful processing of personal data.

A few key points to bear in mind:

• If you anticipate any large-scale profiling or are using any innovative technologies, you should undertake a data protection impact assessment – to identify concerns and for your own data controller compliance obligations
• Consider just-in-time notices to gain appropriate consents and, if dealing with children or vulnerable people, word notices clearly; do not ‘nudge’ people into certain courses of action
• Personal data collected from public sources or social media must still be treated lawfully and so must be addressed within your privacy information and handled accordingly

If your organisation undertakes profiling activity, ensure you are aware of your data controller obligations, whether under GDPR or other applicable rules – and beware of targeting individuals outside the UK where additional rules may apply. Profiling can be useful, but users do not all fit into set character classes, so it is important you have plans in place that allow you to understand the domains you operate within now and could in the future, and what laws apply to those users.

We would be happy to advise on any data protection concerns.