The ICO yesterday issued a discussion paper on GRPR profiling provisions and is seeking comments by 28 April. The responses will help the ICO in its work at European level. The ICO is leading an EU Article 29 Working Party on this issue – the WP aims to issue guidelines on profiling later this year.
The ICO’s paper highlights the key areas of profiling it considers need further consideration, and poses ten questions, including:
• Have you considered what your legal basis would be for carrying out profiling on personal data? How would you demonstrate, for example, that profiling is necessary to achieve a particular business objective?
• How do you mitigate the risk of identifying special (sensitive) categories of personal data included in your profiling activities? How will you ensure that any ‘new’ special category data is processed lawfully in line with the GDPR requirements?