Your right to object to automated decision making
The changes that the EU-wide General Data Protection Regulation (GDPR), bought into UK law as the Data Protection Act 2018, mean you can object to solely automated decision making, and some of these decisions (such as online credit or e-recruiting) will be subject to additional controls.
The new rules give you the right not to be subject to a decision based solely on automated processing if it affects you legally or substantively.
How automated decision making works
Automated individual decision making is a decision made by automated means without any human involvement. Examples of this include:
- an online decision to award a loan; and
- a recruitment aptitude test which uses pre-programmed algorithms and criteria.
Automated individual decision making does not have to involve profiling, although it often will do.
Automated decisions can be based on any type of data, including data provided directly by the individuals, data observed about the individuals, or data inferred from elsewhere (such as a profile of the individual that has already been created).
Data Protection: jargon buster
- Processing is essentially anything that is done to or with personal data. This includes but is not limited to collecting, recording, organising, structuring, storing, adapting, altering, erasing or destroying.
- A data subject is an identified or identifiable person.
- A controller determines the purposes and means of the processing of personal data.
- A processor processes data on behalf of a controller.
How organisations can use your data
Organisations can only carry out automated decision making that has legal or similarly significant effect where the decision is:
- necessary for the entry into or performance of a contract; or
- authorised by UK law applicable to the controller; or
- based on your explicit consent.
The details of the automated decision making should be documented in the organisation’s privacy notice.
For automated decision making they should explain what information is used, why it's used and what the effects might be.
In addition to this, they should also provide you with a simple way to request intervention or the chance to challenge a decision.
The organisation must also carry out regular checks to make sure its systems are working properly as intended.
Your right to object to profiling
You also have the right to object to profiling, including profiling used for direct marketing purposes.
Companies must inform you of your right to object at the latest at their point of first communication with you, or - for example - in their privacy notice.
If they receive an objection to processing personal data for marketing purposes, they must ensure that your personal data is no longer processed for such purposes.
How profiling works
Companies often use algorithms to gather information about you. This analysis reveals links between your different behaviours and characteristics to create a personalised profile of your preferences.
This profile information can then be used by those companies to make decisions that affect you.
Under GDPR, profiling means gathering information about an individual (or group of individuals) and analysing their characteristics or behaviour patterns in order to place them into a certain category or group, and/or to make predictions or assessments about, for example, their:
- performance at work
- economic situation
- personal preferences
- location or movements.
What companies must do
They should explain to you how you’re able to access the details of the information used to create your profile.
The organisation should also have procedures for customers to access the personal data input into the profiles so you can review and edit for any accuracy issues.
How to object to automated decision making or profiling
If you’d like to object to profiling or automated decision making, ask the organisation for a copy or link to its procedures to appeal profiling and automated decision making.
If it is carrying out this type of decision making, it must have a procedure in place which explains how you can challenge, edit or withdraw consent.
If it doesn’t provide you with useful information and next steps to take, contact the the Information Commissioners Office (ICO).