GDPR Article 22 is Automated individual decision-making, including profiling.
Article 22: what it is
This is where the user can avoid having a computer block opportunities from them.
The data subject has the right not to be solely profiled based on automatic profiling including big data analytics. Many organizations use profilers to analyze good candidates for job positions or possible likelihood to commit a crime. Though some algorithms can be quite accurate, there is a significant amount of bias within them based on the designers, developers, and initial data set used to train the artificial intelligence that runs them. The organization cannot rely on ‘wholly’ automated decision making.
Why it is important for the Data Subject
There are numerous examples of profilers gone wrong. Data can be misjudged based on gender, ethnicity or even the history of a subject’s social connections online. This right ensures that other factors are taken into account and that consent is required to wholly automated processes.
What it means to the organization
Organizations that are currently using automated processes to make decisions must either incorporate non-automated steps in to their decision making and/or request consent from their data subjects to run the profiling.
Real world example
A data subject applies for car insurance. They are asked for a set of information to obtain that insurance. The organization wishes to calculate their premiums based on the history of other users with similar demographic backgrounds. The organization cannot rely solely on this data. They can additionally have a staff member review the applicant to make the decision and/or request consent of the data subject upon application to use this method of profiling to calculate their premiums.