By virtue of Article 22 of the GDPR, individuals have “the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” We explore this provision and consider the potential implications for your business.
What is automated decision making?
Due to technological advancements in recent years, it has become easier for organisations to use automated decision making. Automated decision making has become prevalent in a diverse range of sectors including banking and finance, insurance and healthcare. However, automated decision making has significant implications for individuals. Therefore, the GDPR introduces safeguards and restricts the use of automated decision making subject to certain exceptions.
The fact that Article 22 is structured to restrict decisions based solely on automated processing supports the concept of individuals having control of their personal data.
Automated decision making is deemed to occur where a decision is made solely by automated means and there is no human involvement or influence over the outcome. An example of this is where pay is based on hours worked and this is monitored automatically on each individual worker’s computer. Their pay is then paid automatically using this data.
However where processing involves elements of both human and automated decision making, this would not be covered by Article 22. An example of this would be where a pay performance system notes that a worker has been late for 5 days in a month and sends a notification to HR who then decide to issue a warning to the employee based on their review of this data.
For the Article 22 right to apply, the decision must also produce legal effects concerning the individual. This means that it must affect the legal rights and/or legal status of an individual. An example of such a decision would be a decision relating to entitlement to benefits. Alternatively, the decision must similarly significantly affect the individual. An example of this is an automatic refusal based on an online credit application.
What are the exceptions?
The right not to be subjected to automated decision making is not absolute. The right does not apply where the processing is based on:
(i) contract, i.e. it is necessary for entering into or performance of a contract between a controller and an individual;
(ii) law, i.e. it is authorised by national law; or
(iii) consent, i.e. based on explicit consent of the individual.
Therefore, if your organisation satisfies one of the above exceptions, it may process personal data using automated means. However, even where an exception is met, where the processing is based on (i) or (iii) above (contract or consent), organisations must:
(i) implement suitable measures to safeguard the rights and freedoms and legitimate interests of individuals;
(ii) implement the right to obtain human intervention on the part of the controller;
(iii) allow the individual to express their point of view; and
(iv) allow the individual to contest the decision.
Additionally, if your organisation is intending to rely upon consent for processing, you should note that this consent will need to be “freely given, specific, informed and an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” The imposition of such a high standard underlines the importance the GDPR places on individuals having control over their personal data. Further, in order to ensure the consent given is “specific and informed” you must provide information about the processing being conducted by automated means. You should do this by means of a Privacy Notice.
What else does your organisation need to know?
If your organisation is involved in automated decision making, you must carry out a data protection impact assessment to demonstrate that you have considered the risks involved and you must detail how you will deal with those risks.
Further, if your organisation carries out automated decision making in relation to special category data, you may only process this data if:
(i) your organisation has obtained the explicit consent of the data subject; or
(ii) processing is necessary for substantial public interest reasons.
Although automated decision-making has benefits, such as enabling services and goods to be tailored to specific individual requirements, it also has implications for the rights and freedoms of individuals. Given the significant fines that may be imposed under the GDPR (up to 4% of global turnover or up to 20 million euros, whichever is higher), compliance with the GDPR is essential. Where Article 22 is applicable to your organisation’s activities, you should ensure your approach is consistent with the GDPR and, in particular, the rights of individuals.
This article was co-written by Charlotte Fleming.