Data Protection Fines – A cautionary tale of data profiling
Within the UK there was only one financial penalty levied from the ICO in Q3 2022 – a fine of £30,000 to Halfords for sending half a million unsolicited marketing emails.
However, things start heating up in October with a further 7 fines issued, including fines totalling £1.58 million to Easylife Limited and a fine of £4.4 million to Interserve Group Limited. We may cover the latter in our next Data Bytes publication, but for now let’s take a look at Easylife…
Easylife has had 2 fines issued, the larger of which related to profiling and the use of special category data. Easylife were found by the Commissioner, to be using information about customer buying patterns, to infer whether they had health conditions and then target them for direct marketing of health products that could alleviate those conditions. The ICO ruled that using data to make decisions and trigger targeted marketing constitutes profiling and capturing inferred health conditions constitutes special category data.
Easylife have defended that legitimate interest assessments had been applied in relation to the marketing processes, and there is a privacy notice in place which clearly states that they analyse customer purchases in order to market other products that may be of interest. But the ICOs position is that data subjects had not been adequately informed about any profiling or the capture of special category data in relation to their purchases.
So, what does that means for the rest of us… Are you profiling any data subjects? If the answer if ‘no’ – how sure are you?
Guidance from the ICO about what constitutes profiling:
“‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”
This is quite a broad definition and may potentially cover things like productivity statistics within factories, GPS tracking of fleet vehicles and social media behaviour. It is advisable to include the definition of this, and of automated decision making, as part of your Legitimate Interest Assessment and Data Protection Impact Assessment processes to ensure that profiling activities are proactively identified as part of your compliance due diligence.
Where profiling is identified, you may need to cease this type of processing or adequately and transparently cover it off in your privacy notices. You may also need to secure consent from data subjects if legitimate interests are not a strong enough lawful basis upon which to justify the processing.
Get in touch if you have any concerns and want advice on pragmatic ways to comply with GDPR.