Does GDPR Profiling include Segmentation?
During a recent webinar by the DMA titled “GDPR*1 and profiling” several discussions were raised on the right or not to complete profiling on customer data. This looked at the high standard for consent which has been set within the GDPR, with organisations needing to ensure consent is freely given, specific, informed and unambiguous. As part of this the GDPR states (in Article 22) that:
“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her”
This raised several discussions, but one early statement which kept ringing in my ears was that segmentation is obviously not profiling. I initially agreed, but is it obvious?
*1 GDPR – General Data Protection Regulation
What is profiling?
Profiling is an often used phrase with a quick internet search providing multiple different meanings from a variety of spheres, DNA profiling, program profiling, social profiling, etc. We are of course interested in the data side of profiling, but even here and within our own industry there is more than one type of profiling:
- Data profiling – analysis of data source to examine and quantify the state of the data, in terms of accuracy, completeness, reliability, etc.
- Profiling – analysing data related to a specific group to provide a set of attributes that characterises the specific properties of the given group.
Given this potential confusion, using the GDPR definition of profiling is a better place to provide their intention for the coverage of the term profiling. Within the GDPR (Article 4) “profiling” is defined as:
“Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”
This certainly covers the classic definition of profiling within marketing, but does it exclude segmentation?
Is segmentation a part of profiling?
Well let’s look at the definition of profiling and pull out the key components:
- Automated processing;
- Carried out on personal data;
- Determines an aspect of the person.
If we now look at segmentation using these 3 components, most if not all segmentation is applied as part of an automated process and is carried out with the use of personal data, to place an individual into a defined group. So by this definition segmentation is part of profiling, which means any kind of targeting will be impacted by the GDPR and consent will need to be obtained to use customer’s data in this way.
Are you serious? This will have a major impact on marketing!
This is one interpretation and there are others, but a clear direction is required and although I have put my view forward an actual definition is required from the DMA/IDM and ICO to help us all continue to use data for the customer benefit, without putting prohibitive controls in place.
If you have any further questions or would like support / guidance in discovering and defining your Data Driven Marketing solution or managing your projects, please contact me through the BlacklerRoberts Ltd “Contact Us” page and I will be happy to discuss your needs. Alternatively please follow @BlacklerRoberts on twitter for further insights.
Thanks for the info 🙂
I loved your post, my name is ronald spinabella and I’m going to share it with my followers on instagram.
While I agree that segmentation is a form of profiling in line with the GDPR’s definition of “profiling”, I do not agree that segmentation for marketing purposes requires consent.
The restriction on profiling in Article 22 only applies if the outcome “produces legal effects concerning [the data subject] or similarly significantly affects [the data subject]”. This will generally not be the case if we are talking about segmenting groups of customers for specific email campaigns.
Nonetheless, “profiling” amounts to the processing of personal data for which there must be a lawful basis, which includes an organisation’s legitimate interests. Organisations need to balance their legitimate interests against the fundamental rights and interests of their customers and where the balance tips in an organisation’s favour, they may rely on their legitimate interests for such processing (subject to the requirement to identify such interests within their privacy policy at the point of collecting personal data in the first place).
Of course when it comes to actually sending out an email to a group of segmented individuals, the separate rules on direct marketing set out in the Privacy and Electronic Communications Regulations will apply.