This is the fourth blog topic (Profiling and automated decision making) about the impact of the General Data Protection Regulation (GDPR) on Consumer IAM projects. This blog is part of a series that touches on important topics for IAM experts that have an interest in the new EU regulations.
Strict regulation of automated individual decision making
Article 22 of the GDPR targets one of the most powerful and promising tools for direct marketing – profiling based solely on automated processing of personal data. Offering products the way we used to base on this type of profiling is likely to become a thing of the past.
As a consumer, wouldn't it be great if you only received product offers that really fit you like a glove? What if you only received offers that were based on data about your personal preferences and things like your income, lifestyle, and where you live? What if marketers automatically tailored their products to your needs? According to the EU (and more specifically, the GDPR legislation), this is not going to happen anymore, at least not without the explicit consent of consumers. The reason is that GDPR requires that each person in the EU should have free choice in their buying decisions instead of being presented with automatically-selected options, based on the data that businesses gather about personal preferences and lifestyle.
A matter of principle
To the EU, this is a matter of principle. Enterprises that apply targeting based on profiling and automated decision making don't just follow consumer trends – they invent and feed the trends, actively steering consumer behaviour and limiting freedom of choice for individual consumers. In fact, GDPR limits the powers of certain online enterprises, cutting back some of their creative options to control markets.
What is at stake?
In the product marketing profession's lingo, consumer profiling is also referred to as ‘automated decision making', which puts personal data to work to evaluate certain personal aspects of data subjects (consumers). GDPR does not prohibit profiling as such. But the legislation is definitely drawing the line at the point where the data controller (a business) not just automatically analyses but also predicts "aspects concerning a person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviours, location, or movements."
The latest data analysing technologies can make data-savvy marketers' dreams come true. Based on the latest personal data about a person's education, income, car, and home, ‘data wizards' can predict someone's preferences for certain products. Targeted data analysing and processing work can even automatically suggest a certain product and price range to webshop visitors, maximising the chances of sales and customer satisfaction.
The key word: ‘automated'
In the GDPR era, this automated handling and processing of personal data will be virtually impossible without the clear and explicit consent from the people whose data is involved. A travel website automatically offering a high-priced vacation to certain visitors based on data that shows they live in a high-class neighbourhood will be a no-go. The same goes for offering only a subset of products on a website because your age has been used to automate the selection (and therefore choice) for you. Based on your profile, you cannot see or buy other products on the website because they are simply not offered.
It is not direct marketing in itself that GDPR is targeting. The GDPR is protecting consumers/data subjects against the automated processing of their data (including profiling) for direct marketing. Profiling is not just direct marketing - it is something more!
Is there a way around this?
If you insist on keeping automated decision making based on profiling alive in your operation, there are ways around the new limitations. You can anonymise or pseudonymise the data that you keep about individuals and base automated decision making about your product offerings on that, as long as you are not targeting specific individuals. Or, you can ask individuals for explicit consent to process personal information and profile those people for the purpose of providing dedicated personal offerings. The GDPR legislation offers some leeway when profiling and automated decision making is necessary to fulfil a contract – such as certain lifecycle mortgage products, for example. Also, profiling and automated decision making have a future in EU member states with legislation that specifically allows these practices for things like gathering statistical information or taxing purposes.
A clever strategy
Going forward, we will see intensified communication activity between organisations and their customers with the purpose of safeguarding the value of personal data by acquiring the consent that is essential to use it in the future.
If profiling and automated decision making are vital to your company's (direct) marketing operation, make sure that you ask for consent during the earliest stages of the relationship with your consumers, ideally just after your company has made a positive impression. This may occur after buying a product or receiving satisfactory online advice. But beware - consent should always be given freely and approaching an individual at a later stage may raise red flags with respect to GDPR compliance. Never request consent for data that you will not be using immediately (as in very soon, or now) do it when you really need the data and where you cannot explain what you will do with it (the purpose), as this would be a violation of GDPR regulations. The purpose of processing data must be mentioned and mentioned as clearly as possible. The consumer data watchdogs and the official data protection offices in EU countries will be on the alert for violations, eager to set examples. From May 25th, 2018 onward, there will be hefty fines…
Next time, we will cover how to handle sensitive personal data under the new GDPR legislation.
Want to read the other blogs on the impact of GDPR? Start with the first one.
The GDPR in all official European languages can be found here:
In a series of 9 blogs, we will dive deeper into the specific parts of the GDPR and their effect on IAM.
- Why IAM will never be the same.
- When should consent be requested?
- Why transparency is key to building trust.
- Strict regulation of automated individual decision making.
- What is sensitive personal data?
- Privacy by Design & Data protection by Design.
- Special rights for the individual like “right to be forgotten”
- Data breach communication.
- Children's privacy under GDPR.
Feel free to repost this blog on your website! But when you do so, please be so kind to mention the source and give us a notice via email@example.com
Corné van Rooij
VP Product & Strategic Alliances at iWelcome
Corné has been working in the security market for more than 20 years of which the last 15 years at two well known Identity Management Vendors.