Rights related to automated decision making, including profiling
Automated individual decision making is a decision made without human involvement. Examples of this include an online decision to award a loan, or a recruitment aptitude test which uses pre-programmed algorithms and criteria. Automated decision making does not have to involve profiling, although it may do.
Automated decision making and profiling can lead to a quicker and more consistent decision, but if used irresponsibly there are significant risks for individuals.
The General Data Protection Regulations (GDPR) restricts organisations from making solely automated decisions (no human contact), including those based on profiling, that have a legal or similarly significant effect on individuals.
These restrictions can be lifted in certain circumstances; namely, if the decision is:
- necessary for entering into or performance of a contract between the organisation and the data subject
- authorised by law (for example, purpose of fraud or tax evasion), or
- based on the individuals ‘explicit’ consent
As this type of processing is high risk, the GDPR requires that a Data Protection Impact Assessment is completed to demonstrate that the organisation has identified and assessed the risks and how these will be addressed.
The GDPR also requires organisations to:
- give individuals specific information about the processing
- take steps to prevent errors, bias and discrimination, and
- give individuals rights to challenge and request a review of the decision
These provisions are designed to increase individuals understanding of how the organisation might be using their personal data.