Yesterday, the UK Information Commissioner's Office (ICO) published its initial thoughts on profiling under the GDPR, highlighting key areas of profiling that ICO feels need further consideration. These include:

  • the definition (including examples of ‘significant effects’ on a data subject that may constitute profiling);
  • legal basis for profiling;
  • notice requirements; and
  • the trigger for a Privacy Impact Assessment. 

Organisations are not finding it straightforward to put the GDPR's requirements into practice, so this is welcome engagement from ICO. ICO is inviting feedback and examples of best practice by 28 April: https://ico.org.uk/media/2013894/ico-feedback-request-profiling-and-automated-decision-making.pdf