We live in a digital world. The internet has given us access to so many things which are just one click away, but as a consequence everyone leaves a digital footprint. All kinds of data on our online activities is collected, and linked, with the ultimate goal of creating a complete profile of a customer, and offering services to this customer based on that profile. This is called profiling.
The General Data Protection Regulation (which will be enforced as of May 25th 2018 and will replace the Data Protection Directive) defines profiling as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.
As an example, meet Jane Doe. Jane has a Facebook account, a LinkedIn account, is an avid online shopper, is curious and therefore uses Googles habitually. Where in the earlier days of the internet data was mostly gathered through cookies and ads, nowadays sophisticated tools can track behaviour and collect data saved in different profiles. Based on Jane’s online activities, the following data may be collected:
As the data is collected and linked, her profile could be sold to interested parties, who then would target her with tailored advertisements and deals. However, this information is not only used to target Jane with tailored ads, but can also be used to target her friends, as they would be known through (for instance) her Facebook or LinkedIn profile.
Ethical discussions on profiling
The discussion on how to handle profiling is not only a legal discussion, but also has an ethical element. With the abundance of data collected online, consumers often struggle to find out which data they leave behind. And while large amounts of data may seem like a source of information on current and potential customers, this data may not necessarily be allowed to be used, as it is unclear if the user has given clear and voluntary consent for using the data, even though they have posted it on publically available sources.
Profiling within your organisation
While collecting all this information of your customers, your organisation can face several dilemmas. First of all, is profiling part of the core activities that are being performed by your organisation? And if so, are the right employees within the organisation aware that it is occurring, and how it is being done? Finally, are the activities regarding profiling in compliance with the new regulation? This could be checked by performing a privacy impact assessment.
Legal limitations to profiling
Being aware of the nature of profiling within your organisation is important, and staying up to date on the changing regulatory landscape is crucial from this perspective. Under the GDPR, an organisation should ask itself whether it is aware of the legal limitations on profiling and of the rights of individuals in relation to profiling. For example, organisations will be required to notify individuals when profiling takes place, and which consequences this has for your customer. Organisations are required to use appropriate statistical or mathematical procedures for profiling, and are restricted in the use of categories of special data unless they meet certain predetermined conditions. Lastly, individuals have the right to object to profiling.
Is your organisation ready for the General Data Protection Regulation? KPMG can help you with preparing for the it, by performing a General Data Protection Regulation readiness assessment or helping you creating a roadmap. If you would like to know more, please reach out to Jennifer Wennekers or José Teuwen.