GDPR Article 22 deals with a concept called ‘data profiling’ – essentially a method used to profile an individual’s personality solely through automated data analysis, that has the chance to affect them legally or financially (e.g. credit scoring and mortgage applications).
Under Article 22, individuals have the right not to be profiled in such a manner, unless expressly agreed by way of a contract between the subject and the organisation who is carrying out the profiling.
Automated individual decision-making, including profiling
Automated individual decision-making, including profiling
Generally speaking, Article 22 isn’t relevant if decisions affect multiple data subjects, or groups of individuals connected by certain variables – e.g. age, gender, location.
Instead, the law focuses on the rights of the individual – i.e. one person – to not be subject to profiling without their consent.
Despite being the primary subject matter, decisions are something of a grey area. The law is unclear as to what constitutes a decision. These can range from a decision from a governmental authority, or something more easily recognisable such as a credit score or actions taken on a mortgage application.
To make things even more vague, decisions can also constitute an attitude or opinion towards a data subject, based on their data, but only if that has a likelihood of being acted upon.
A ‘legal effect’ is a binding action taken towards a person. Decisions are scenarios such as a benefit claim, a tax return or a healthcare assessment.
Whilst some or all of these may not specifically change the basic legal status of a person, they still may have a profound effect upon that person’s life, including:
In this section we talk about GDPR Articles 22 (2)(a), 22 (2)(b), 22 (2)(c), 22 (4)
To form a legal basis for processing PII, organisations should document their actions and:
Organisations also need to consider any ‘special categories’ of PII that relate to their organisation in their data classification scheme (see ISO 27701 Clause 7.2.8) (classifications may vary from region to region).
If organisations experience any changes to their underlying reasons for processing PII, this should be immediately reflected in their documented legal basis.
In this section we talk about GDPR Articles 22 (1) and 22 (3)
Organisations should take into account jurisdictional variances in automated decision making regarding PII.
Organisations should honour an individual’s right to object and requesting human intervention in place of automated procedures.
GDPR Article | ISO 27701 Clause | ISO 27701 Supporting Clauses |
---|---|---|
EU GDPR Articles 22 (2)(a), 22 (2)(b), 22 (2)(c), 22 (4) | ISO 27701 7.2.2 | ISO 27701 7.2.8 |
EU GDPR Articles 22 (1) and 22 (3) | ISO 27701 7.3.10 | None |
By adding a PIMS to your ISMS on the ISMS.online platform, your security posture remains all-in-one-place and you’ll avoid duplication where the standards overlap.
With your PIMS instantly accessible to interested parties, it’s never been easier to monitor, report and audit against both ISO 27701 and ISO 27001 at the click of a button.
Find out how much time and money you’ll save on your journey to a combined ISO 27701 and ISO 27001 certification using ISMS.online by booking a demo.