October 22, 2018

October 22, 2018

Subscribe to Latest Legal News and Analysis

October 19, 2018

Subscribe to Latest Legal News and Analysis

Assessing GDPR Guidelines Part I: Profiling and Automated Decision Making

The Article 29 Data Protection Working Party recently issued guidelines on how to handle profiling and automated decision making under the General Data Protection Regulation. Under GDPR, “profiling” means the automated collection of personal information in order to evaluate personal aspects about an individual. For example, companies may use profiling to predict individuals’ spending habits, targeting ads to individuals based on their internet browsing history. 

Automated decision making” may overlap with profiling. The guidelines provide the example of speed cameras that automatically generate a ticket to demonstrate automated decision making without profiling. In the guidelines, automated decision making is distinguished from “solely” automated decision making. Solely automated decision making is when decisions are made based on technology with no “meaningful” human involvement. Where this activity has a significant effect on the individual, it is prohibited under GDPR (with three very narrow exceptions). An example of a practice with a significant effect is an e-recruiting policy that automatically excludes individuals without any human involvement.

Putting it Into Practice: Companies subject to the GDPR should be mindful of practices involving profiling or automated decision making and, in many cases will want to incorporate a “human element” in these practices.

 

Copyright © 2018, Sheppard Mullin Richter & Hampton LLP.

TRENDING LEGAL ANALYSIS


About this Author

Townsend Bourne, Government Affairs Attorney, Sheppard Mullin Law FIrm
Associate

Ms. Bourne's practice focuses on Government Contracts law and litigation. Her experience includes complex litigation in connection with the False Claims Act, bid protest actions both challenging and defending agency decisions on contract awards before the Government Accountability Office and Court of Federal Claims, claims litigation before the Armed Services Board of Contract Appeals and the Civilian Board of Contract Appeals, investigating and preparing contractor claims, and conducting internal investigations. 

Ms. Bourne advises clients on a...

202-469-4917
Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and external practitioners alike.”

She is known as an industry leader in the privacy and data security space and is consistently recognized by Leading Lawyers Network, Chambers and The Legal 500, and leading publications and organizations for her work in this area of law. Liisa was recently recognized as the 2017 Data Protection Lawyer of the Year - USA by Global 100, the 2017 U.S. Data Protection Lawyer of the Year by Finance Monthly, and the “Best in Data Security Law Services” at Corporate LiveWire’s 2017 Global Awards.

312-499-6335