The eight, and final, part of this series relates to rights in relation to automated decision making and profiling. Organisations cannot make solely automated decisions, including those based on profiling, that have a legal or similarly significant effect on individuals.

What is included?

Automated individual decision-making means that a company makes a decision without any human involvement, relying only on automated means. This may be a recruitment aptitude test with pre-programmed algorithms, or diagnosing an illness.

Automated decision-making can span a wide range of areas, but it particularly focuses on profiling. Here, the data is used to evaluate a person, often their work, economic situation, health, personal preferences, interests, behaviour, location, or more.

Automated decision-making can lead to quicker and more consistent decisions, and is often used in healthcare, financial services, and marketing. However, it can lead to increased risks and privacy breaches.

Therefore, Article 22 of the UK GDPR provides people with the right to not be subject to an automated decision when it results in a legal (or similarly significant) impact on them.

When can I use automated decision-making?

This right doesn’t apply if the automated decision-making doesn’t have legal effects, or if a human is involved at some point in the decision process.

If the right does apply, then you can only process the data if:

• It is necessary for the performance of a contract,
• There is a legal basis and authorisation, or
• The processing is based on explicit consent.

If the right does apply, and the data is special category personal data, then you can only process it if:

• The processing is based on explicit consent, or
• There is substantial public interest.

How should I carry out the decision-making?

If you have a basis to use automated decision-making, you must perform a Data Protection Impact Assessment (DPIA) to identify and assess any risks and controls in the process.

You must give the person specific information about the processing. This must include:

• Information about the logic involved in the process, and
• The significance and possible consequences to them.

You must also ensure that the person knows that they can:

• Ask for and get human intervention in the decision,
• Express their point of view,
• Have the right to challenge or request a review of the decision.

You must also take steps to prevent errors, bias, and discrimination, use appropriate statistical procedures, and secure the data.

If you want any more information regarding the rights related to automated decision-making, how to carry out the decision-making, or any other advice on dealing with data privacy rights, feel free to contact us.