The GDPR special edition of MEF’s eBulletin series, supported by CLX Communications, highlights the perspectives of the diverse MEF membership and experts on their path to preparing for GDPR compliance.
Personal profiling has long-since been the bedrock of how data is used in the digital economy. It can, divulge a users location, help track usage patterns across devices or set up recommendations for online shopping. GDPR in many ways is rock, paper and scissors to the business of profiling. Here GDPR analyst and author of “Applying the GDPR. Privacy Rules for the Data Economy” Chiara Rustici, discusses profiling and the importance of compliance.
Any time personal data is deployed in an automated manner and is used to evaluate personal aspects of fellow human beings, we are dealing with profiling as defined and regulated by the GDPR. Don’t just assume it’s about psychometric profiling of the kind engaged in by the dominant social media platforms. Neither assume that GDPR profiling is always called “profiling” or is always accomplished inside a walled garden of a single enterprise.
If your organisation profits or otherwise benefits from personal data being used, somewhere, by someone, to evaluate individuals, it is highly likely that you are engaging in at least one of the data transformation stages – from data collection to insight – that make up GDPR profiling.
Your contribution to the profiling ecosystem might play out entirely upstream, by collecting and then selling or licensing access to your own raw data feeds. Or perhaps you are enriching and cross-referencing your own data streams with others from outside sources. You might also be tracking users across devices and channels to authenticate first and then assign permanent IDs. You might be resolving identity issues by reconciling offline and online consumer data, or selling your own records to those who do.
Perhaps you are moving one step further downstream by segmenting customers into types. Further still, you might be sorting them according to their responsiveness to certain triggers, via A/B testing or scoring them according to specific propensities. Lastly, you may occupy the “last mile” of profiling’s insight extraction by creating personalisation algorithms or recommendation engines.
Profiling – don’t do it to them, do it with them
Wherever you sit in the personal data transformation journey, and whatever you call your drive to guess what the consumer wants, the GDPR provisions on profiling apply to you and can be summed up as “don’t do it to them, do it with them”. The GDPR overall push towards information self-determination translates into consumer profiling self-determination and self-servicing.
As I have published already elsewhere, the GDPR provisions on profiling can be condensed into eight memorable points (boxed out above).
Profiling was seldom the original revenue model for telcos, functionally equivalent OTT telecommunication providers, mobile app developers and mobile app distribution platforms: in many ways it was consumer profiling that chased the mobile world, rather than the other way round.
Eight Profiling Essentials under GDPR
- Tell them that you are profiling them, what the logic is and what the consequences are.
- Tell them they can object to profiling (if you are using legitimate interest to profile) and then act on their objection.
- Tell them they have access to (though no portability of) the profiles you are building of them.
- Stop profiling for direct marketing if you receive an objection. It is one strike and you’re out.
- You must offer human-in-the-loop for wholly automated decisions with legal or significant impact.
- Tell them the logic of profiling and 100% automated decisions, even when they can’t object (because you are not using legitimate interest as a lawful basis but consent and contract).
- When profiling is high-risk for the rights and freedoms of the data subject, carry out a data protection impact assessment or DPIA.
- Never profile Art 9 or Art 10 or children’s data other than on public interest or explicit consent: legitimate interest will never be a lawful basis for these.
With telcos’ “great convergence play”, unifying TV, broadband, fixed and mobile telephony, came the need to authenticate users across different media. While pure authentication does not attract the additional scrutiny that the GDPR reserves for profiling, the temptation to move from authentication to assigning persistent digital identities to customers proved too hard to resist for the mobile world.
Persistent digital identities that serve as a repository for every digital click and swipe, every word uttered, searched or typed, every step and every turn taken or not taken are something we have not seen before. They are hyper-identities, fall squarely within the definition of GDPR profiling and attract the hyper-vigilance that the GDPR reserves to high-risk data processing. The eight GDPR rules on profiling are not hard to remember. What is hard is for the mobile ecosystem stakeholders to achieve absolute clarity about their chosen personal data business model.
Do you really need to be in the profiling business? It may prove much less remunerative after 25th May 2018 than initially thought.
This opinion piece is based on the author’s “GDPR Profiling and Business Practice”, Computer Law Review International, Otto Schmidt, Issue 2, v 2018, pp.34-43 and her report “Impact of GDPR on the Business of Profiling”, which can be ordered directly from Chiara Rustici.
Chiara Rustici is an independent analyst. She is neither affiliated nor financially associated with MEF or any of the other bulletin’s contributors. Views are her own.
Download the free GDPR Ebulletin now
With unique insight and analysis on enterprise messaging, permission and consent, the monetisation of personal data post GDPR, customer profiling and cultural and behavioral changes, the GDPR special edition eBulletin provides an invaluable glimpse into how businesses are meeting their obligations under the EU’s new data protection regulation, and how they see the industry in a post-GDPR world.
MEF’s GDPR eBulletin is available now