Comments on new profiling provisions in the General Data Protection Regulation (GDPR) are sought by the Information Commissioner’s Office, which has issued a discussion paper identifying specific issues for further debate. Feedback will inform the UK contribution to the Article 29 Working Party, which advises the European Commission on data protection issues. 

The GDPR, which repealed and updated the EU Data Protection Directive, will come into force in the UK from 25 May 2018 as the main piece of legislation governing the protection of personal data.

In addition to defining profiling, the GDPR introduces new rights for data subjects and additional obligations for controllers, providing for greater transparency and more individual control when personal data is being profiled.

The ICO discussion paper, ‘Feedback request – profiling and automated decision-making’, acknowledges that profiling can be a powerful tool for organisations and can benefit individuals, the economy and society generally. However, it can also have a significant and sometimes detrimental effect on individuals.

The discussion paper highlights key areas such as marketing, the right to object and data minimisation that the ICO considers require further consideration.

Derogation within the GDPR

As the UK retains the full rights and obligations of membership of the EU until it leaves, it is obliged to implement the GDPR from 25 May 2018. As it is a regulation (rather than a directive), there is also limited scope for flexibility in its application.

However, there are derogations (exemptions) within the regulation where the UK can exercise discretion over how some provisions will apply.

‘General Data Protection Regulation: Call for Views’ features a list of 14 themes, within each of which are a series of possible derogations. Stakeholders are encouraged to submit their views online through the ‘Call for Views’ facility, which will capture views on the permitted flexibilities.