What is profiling under the GDPR?
June 8, 2017 – Todd Ruback
Although “profiling” is a defined legal term in the GDPR, many are confused what it actually is, but given the levels of potential penalties at stake, a bit of clarity is due.
Confusion about “profiling” abounds and it’s driving me nuts, so I’m going to quickly clear it up so we can talk about something cool like Evidon’s four step approach to the GDPR’s “profiling” obligations. Although “profiling” is a defined legal term in the GDPR, many are confused what it actually is, but given the levels of potential penalties at stake, a bit of clarity is due. Adding to this confusion are the revisions to the existing cookies laws – the ePrivacy Directive – and how they will impact “profiling”.
It’s important to note that the GDPR aims to give control over personal data back to the person, while the ePrivacy revisions (regulation) is meant to protect the privacy and confidentiality of electronic communications. That’s why the two laws will be independent to each other, because they are trying to solve different problems. Where it gets murky, however, is because they both have different notice and consent obligations that are triggered when “cookies” or tracking technologies are used. That’s why “cookie notices”, those widely criticized pop up banner notices, will be more important than ever, because they will be the single gateway to compliance with both laws: the GDPR and ePrivacy Regulation.
Back to the GDPR, which defines “profiling” as “any form of automated processing of personal data…to analyse or predict aspects concerning a natural person’s …preferences, interests…behaviour, location or movements.” Jargon aside, “profiling” is what we in the US call “digital tracking”, but really they are the same thing. Profiling/tracking, call it what you want, but know that this is the invisible website activity that results in advertising dollars flowing into the your company’s coffers and employing millions in both economies. Profiling is an essential and critical component to the digital economy and must be strategically preserved if the EC’s Digital Single Market, a priority initiative, is to flourish, spawning the next great company from EU soil.
While the GDPR does not prohibit “profiling” it likewise does not give a roadmap how to do it right, but that is what we at Evidon, along with our partners are thinking about. The challenge is that the GDPR doesn’t distinguish between high level and innocuous data analytics – the feel good, can do no harm stuff – and the more granular tracking that results in precision marketing that is so on point you look over your shoulder. Remember this: the greater the profiling granularity, the heavier the obligation to ensure that you have the proper legal basis to do what you are doing. For another great read on profiling check out this blog post, written by Evidon’s CEO, Scott Meyer, where he discusses “profiling” and other priority issues that are top of mind.
Here’s Evidon’s four step approach for you to consider (and Evidon is there to help with each step):
- Intelligence about Digital Supply Chain – Get a panoramic view of the “profiling” occurring on your sites, know who makes up your digital supply chain, and what they are doing. Evidon’s monitoring solution gives you this digital intelligence.
- Profiling analysis – Analyze the different “profiling” activity, determine the levels of sensitivity, and associated risk of each. Evidon’s digital governance framework provides the guidance, best practices and evidence you will need for this critical step.
- “Legal basis” (legitimate interest or consent) – Determine the legal basis for each of the different types of “profiling”. The more general the activity, the easier to rely upon “legitimate interest”. The more specific the activity, the more consent should be adopted. Under the GDPR companies can process (use) personal data only if it has a specific right to do so. That’s called a “legal basis” and there are two types: 1. “legitimate interest” (ex: a bookshop needs your home address to send the book you purchased), and 2. consent. If a company, say a marketer, doesn’t have a “legitimate interest” to use someone’s personal data, then it needs to default to “consent”.
- Consent Management – Deploy the appropriate consent management solution that reflects the legal basis for the “profiling”. Evidon’s patented notice and consent management technology has you covered.
For more discussion about the GDPR, profiling and Evidon’s solutions please contact firstname.lastname@example.org.