The law is very strict when it comes to making automated decisions based on special personal data. You need to be very careful in this regard because otherwise, you will be making unlawful automated decisions. These are the questions that you need to ask yourself.
- Am I making an automated decision?
- Am I using special personal data to make those decisions?
- Am I justified in processing it?
- Have I put suitable measures in place?
What is an automated decision?
This is an important question because data protection law regulates automated decision-making. So, the first very important question to ask yourself is whether or not you are making an automated decision. A manual decision is a decision made by human being. You need to ask yourself – Is the decision based partly on manual processing. If no, then you’re making an automated decision. The next question is – Does the decision have an insignificant effect on the subject? If no, then you’re making an automated decision that is regulated by data protection law.
What is special personal data?
Special personal information is:
- religious or philosophical beliefs,
- race or ethnic origin,
- trade union membership or political persuasion,
- health, or sex life or sexual orientation,
- genetic or biometric information for the purpose of uniquely identifying a natural person,
- criminal behaviour
(bold indicates the extra categories of special personal information in the GDPR)
Do you know when you are using special personal data to make those decisions? If not you need to ascertain this fast. It is often difficult to know this in a big data context.
Am I justified in processing it?
There are only two grounds or justifications for making automatic decisions using special personal data.
- Where you have the data subject’s explicit consent.
- Where it is in the substantial public interest.
Do either of these exist?
Have I put suitable measures in place?
If either of these grounds exist, in addition to that you need to check that there are suitable measures in place to protect the data subject. At a minimum, the suitable measures should include that a data subject has at least the right to:
- obtain human intervention on the part of the controller,
- express his or her point of view, and
- contest the decision.