<img alt="" src="https://secure.norm0care.com/164647.png" style="display:none;">
Breaking News: Onegini and iWelcome are now OneWelcome | READ PRESS RELEASE  

Profiling and automated decision making - Part 4 of 9

Corné van Rooij
December 22, 2017 at 7:18 PM

This is the fourth in a series of nine blog posts on how Consumer Identity and Access Management (CIAM) products can help organisations in their Compliance with the General Data Protection Regulation (GDPR). This blog is part of a series that cover important topics for CIAM experts who have an interest in the new EU regulation.

Strict regulation of automated individual decision making

Article 22 of the GDPR targets one of the most powerful and promising tools for direct marketing – profiling based solely on automated processing of personal data. Offering products the way we used to base on this type of profiling is likely to become a thing of the past.

As a consumer, wouldn't it be great if you only received product offers that really fit you like a glove? What if you only received offers that were based on data about your personal preferences and things like your income, lifestyle, and where you live? What if marketers automatically tailored their products to your needs? According to the EU (and more specifically, the GDPR legislation), this is not going to happen anymore, at least not without the explicit consent of consumers. The reason is that GDPR requires that each person in the EU should have free choice in their buying decisions instead of being presented with automatically-selected options, based on the data that businesses gather about personal preferences and lifestyle.

A matter of principle

To the EU, this is a matter of principle. Enterprises that apply targeting based on profiling and automated decision making don't just follow consumer trends – they invent and feed the trends, actively steering consumer behaviour and limiting freedom of choice for individual consumers. In fact, GDPR limits the powers of certain online enterprises, cutting back some of their creative options to control markets.

Why profiling is important for the organisation?

In the product marketing profession's lingo, consumer profiling is also referred to as ‘automated decision making', which puts personal data to work to evaluate certain personal aspects of data subjects (consumers). GDPR does not prohibit profiling as such. But the legislation is definitely drawing the line at the point where the data controller (a business) not just automatically analyses but also predicts "aspects concerning a person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviours, location, or movements."

The latest data analysing technologies can make data-savvy marketers' dreams come true. Based on the latest personal data about a person's education, income, car, and home, ‘data wizards' can predict someone's preferences for certain products. Targeted data analysing and processing work can even automatically suggest a certain product and price range to webshop visitors, maximising the chances of sales and customer satisfaction.

How consumer profiling / automated decision making will change under GDPR?

In the GDPR era, this automated handling and processing of personal data will be virtually impossible without the clear and explicit consent from the people whose data is involved. A travel website automatically offering a high-priced vacation to certain visitors based on data that shows they live in a high-class neighbourhood will be a no-go. The same goes for offering only a subset of products on a website because your age has been used to automate the selection (and therefore choice) for you. Based on your profile, you cannot see or buy other products on the website because they are simply not offered.

It is not direct marketing in itself that GDPR is targeting. The GDPR is protecting consumers/data subjects against the automated processing of their data (including profiling) for direct marketing. Profiling is not just direct marketing - it is something more!

Can you still do consumer profiling under GDPR?

If you insist on keeping automated decision making based on profiling alive in your operation, there are ways around the new limitations. You can anonymise or pseudonymise the data that you keep about individuals and base automated decision making about your product offerings on that, as long as you are not targeting specific individuals. Or, you can ask individuals for explicit consent to process personal information and profile those people for the purpose of providing dedicated personal offerings. The GDPR legislation offers some leeway when profiling and automated decision making is necessary to fulfil a contract – such as certain lifecycle mortgage products, for example. Also, profiling and automated decision making have a future in EU member states with legislation that specifically allows these practices for things like gathering statistical information or taxing purposes.

A clever strategy

Going forward, we will see intensified communication activity between organisations and their customers with the purpose of safeguarding the value of personal data by acquiring the consent that is essential to use it in the future.

If profiling and automated decision making are vital to your company's (direct) marketing operation, make sure that you ask for consent during the earliest stages of the relationship with your consumers, ideally just after your company has made a positive impression. This may occur after buying a product or receiving satisfactory online advice. But beware - consent should always be given freely and approaching an individual at a later stage may raise red flags with respect to GDPR compliance. Never request consent for data that you will not be using immediately (as in very soon, or now) do it when you really need the data and where you cannot explain what you will do with it (the purpose), as this would be a violation of GDPR regulations. The purpose of processing data must be mentioned and mentioned as clearly as possible.  The consumer data watchdogs and the official data protection offices in EU countries will be on the alert for violations, eager to set examples. From May 25th, 2018 onward, there will be hefty fines…

Next time, we will cover how to handle sensitive personal data under the new GDPR legislation. Want to read the other blogs on the impact of GDPR? Start with the first one.>

The GDPR in all official European languages can be found here:

In a series of 9 blogs, we will dive deeper into the specific parts of the GDPR and their effect on CIAM. 

  1. Why CIAM will never be the same with GDPR
  2. Consent Management with GDPR in mind
  3. Transparency and GDPR
  4. Strict regulation of automated individual decision making.
  5. What is sensitive personal data?
  6. Privacy by design: Data protection starts in the whiteboard phase
  7. Right to be forgotten: The right to erasure 
  8. Data breach communication.
  9. Children's privacy under GDPR.  

Feel free to repost this blog on your website! But when you do so, please be so kind to mention the source and give us a notice via marketing@iwelcome.com.

You May Also Like

These Stories on GDPR

Subscribe by Email

No Comments Yet

Let us know what you think