Profiling – The Reality Of The GDPR Impact

At Kudos, we provide a lot of customer and donor profiling for our clients. We do this by using our Business Universe database of over 2 million businesses with 20+ demographic variables and/or our Consumer Universe of over 40 million records and 100+ demographic variables. We match the client database to the Universe, enhance their records with the demogs and create statistical profiles to enable segmentation and to gain an understanding of how the demographic profile changes across value segments and suchlike.


GDPR states that an individual must be made aware of the use of their data by an organisation in their usage and privacy statement and given the clear opportunity to opt out, (as is the case under the current DPA).

It seems however that under GDPR, positive consent is only required if the profiling activities in question “produces legal effects” or “significantly affects” a data subject (Art 22(1)). Whether enhancement, profiling & insight as described in my first paragraph falls under this definition remains to be seen.

Ted Sheils, Data Protection and Privacy Offier at TSB Bank states “Profiling is defined in GDPR article 4 as: “any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.

Paragraph 58 of the recital states: “The data subject should have the right not to be subject to a decision…which is based solely on automated processing, which produces legal effects… or similarly significantly affects him or her, like automatic refusal of an on-line credit application…without any human intervention. In any case, such processing should be subject to suitable safeguards, including…the right to obtain human intervention…to get an explanation of the decision reached after such assessment and the right to contest the decision.

GDPR seeks to regulate rather than prohibit profiling. If your profiling produces legal effects” or “significantly affects” a data subject, then Data Controllers are required to implement suitable measures to protect data subjects’ rights, freedoms and legitimate interests. This applies to uses of profiling such as whether to provide credit, or a mortgage application where the decision is based solely on the automated processing (profiling) of the data. It would be appropriate for Data Controllers wishing to comply with GDPR’s profiling requirements, to notify the data subject at the time the decision based on profiling is communicated, of his / her entitlement (i) to have the decision explained, (ii) to express his / her point of view, (iii) to contest the decision, and (iv) to have the decision reviewed with an element of human intervention.

Whether this applies to data enhancements and marketing profiling remains to be seen, particularly following the recent ICO fining of RSPCA and BHF.

But in all cases – ensure your privacy and data usage statements are clear and explain how you are using the data.

Contact Us!

For more information contact Mark on