The UK Information Commissioner’s Office (ICO) recently published initial thoughts on some of the new profiling provisions in the General Data Protection Regulation (GDPR). The ICO’s discussion paper highlights the fact that profiling can often take place without an individual’s knowledge, and touches on the increasingly sophisticated ways in which profiling is used to deliver behaviorally targeted advertisements. The paper also covers the legal definition of profiling. The ICO has requested feedback by the end of the month in relation to:

  • When, how, and why organizations carry out profiling, and whether a degree of inference is necessary for a process to be considered profiling;
  • How organizations will ensure that profiling carried out is fair and not discriminatory;
  • How organizations will ensure that information used for profiling is relevant, accurate, and kept for no longer than necessary;
  • Whether organizations have considered the legal basis for carrying out profiling on personal data;
  • How organizations will ensure the provision to individuals of timely fair processing information (as required under the GDPR);
  • How organizations will strike the balance between legitimate profiling and individuals’ rights and freedoms; and
  • Any difficulties foreseen in implementing the GDPR requirement to carry out a data protection impact assessment.

TIP: Those interested may submit comments in the feedback request form by April 28.