Focus on Profiling & Automated Decisions
Since the General Data Protection Regulation was enacted back in 2016, it has been impossible to avoid those infamous four letters: “GDPR”. As the legislation comes from the European Union, it is applicable to all Member States, including Britain (which has undertaken to respect the GDPR even in light of Brexit).
According to the GDPR, the implantation deadline for Member States is the 25th May 2018. This means that you need to have your compliance processes in place by then. Guidance has clearly stated that compliance is indeed due on 25th and not on the 26th May! You have been warned!
If you work in recruitment or HR, then you deal with personal and sensitive data almost every day, which means that you are likely to be impacted by the GDPR more than most. It is therefore really important to ensure that you are up to date with compliance and that you can evidence that you respect your obligations.
Whilst Data Protection is not an entirely new concept, the GDPR has created some new obligations. This means that depending on how you have dealt with Personal Data in the past, you might not need to reinvent the wheel, but you will have to create new processes and strategies to update your existing policies.
Artificial Intelligence and Technology
With the rise of Artificial Intelligence (“AI”) and the growth of the digital economy, more businesses than ever are looking to gain efficiency, reduce cost and automate their processes. There is no doubt that AI is the way forward – indeed, a recent article in the French Newspaper, Le Figaro, hailed AI as THE preoccupation of 2018 and beyond.
However, automated processes and automated decision making comes with some risk, not least when automated decisions are based on personal data or an individual’s sensitive characteristics. These processes can be opaque and employees or candidates might not even realise that they have been profiled or understand what is involved.
According to recent guidance:
Profiling can perpetuate existing stereotypes and social segregation. It can also lock a person into a specific category and restrict them to their suggested preferences. This can undermine their freedom to choose, for example, certain products or services such as books, music or newsfeeds. It can lead to inaccurate predictions, denial of services and goods and unjustified discrimination in some cases.
Of course, this can apply to individuals generally and in some instances does fall outside of the scope or HR, Employment and Recruitment.
So – How does this link back to the GDPR, one might ask? Well, the GDPR actually contains obligations relating to automated decision making and profiling, and in this article we highlight the obligations, risks and expectations involved so that you can properly prepare your business.
Automated Decision Making: Candidate and Employee Profiling
The GDPR says that profiling is any form of automated processing resulting in personal data being used to evaluate an individual’s personal aspects. The issue arises when the results of this automated processing are used to analyse or predict an individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
The default position under the GDPR is that “data subjects” (or candidates/employees) must not be subjected to decisions based solely on automated processing (including profiling), if the decision is likely to significantly or legally affect them (for example, the choice of them being put forward for a promotion, a pay rise, or being considered for a job or not).
Indeed, back in October 2017, a GDPR Working Party provided guidance on profiling and automated decision making. The report stated that:
Legal effects could include those that have an impact on an individual’s legal rights such as statutory or contractual rights (for example an individual being refused entry at a border, being denied a social benefit granted at law or having their mobile phone terminated for failure to pay the bill).
Similarly significant effects could include an effect that must be more than trivial and must have the potential to significantly influence the circumstances, behaviour or choices of the individuals concerned (examples could include automatic refusal of an online credit application or e-recruiting practices without human intervention). Of course, regard must be had to the context, and it is difficult to provide a pre-determined list.
The aim of this provision is to protect candidates and employees from being subject to potentially damaging decisions taken without human intervention, appreciation or involvement (i.e. automated machine based processes, or AI).
It is therefore really important for recruiters and employers to identify whether any of their dealings with candidate or employee data rely on automated decision making (such as search fields, search criteria, performance percentages, targets met, billings, number of hours worked, etc.).
If so, you will probably need to review your current practices to make sure that they are GDPR-compliant.
If decisions are made on the basis of automated profiling, recruiters and employers will need to ensure that individual candidates or employees who are personally impacted by such decisions are able to:
- Obtain human involvement in the decision taken;
- Express their point of view;
- Obtain an explanation of the decision; and
- Be entitled to challenge the decision.
GDPR Working Party Guidance referred to above also advises that the employer or recruiter, as a data controller, must respect an individual’s wishes without questioning the reasons for the objection or challenge.
In a practical sense, this will involve conducting an audit of your current practices and highlighting any areas of risk.
On the basis of this audit, you will need to review your findings and consider whether any significant decisions can be made manually rather than via AI or automated processing.
You should adapt your working practices, perhaps by technical means (i.e., changing your computer programming functions) and also by conducting training for all HR, recruitment and talent acquisition staff.
As profiling can involve use of personal data which was initially collected for other purposes, it is important to make sure you have well drafted privacy notices covering the scope of your activities.
It is also important to ensure that you draft robust candidate and employee policies which tell them what data is collected, how it is collected, why it is collected, whether there are any automated decision or profiling activities (and for what aim), and provide candidates and employees with a summary of their rights, as contained in the above bullet points.
This is further dealt with in detail below.
What can recruiters and employers do to ensure that profiling candidate or employee data is lawful?
As we have seen, the GDPR does set out a general prohibition on solely automated individual decision with a significant effect. However, some exceptions do exists, and employers and recruiters should be aware of them to ensure that any recourse to automated decision making and/or profiling is lawful, for example, where it is:
(a) necessary for the performance of or entering into a contract;
(b) authorised by European Union or National law to which the employer or recruiter is subject and which also lays down suitable measures to safeguard the individual’s rights and freedoms and legitimate interests; or
(c) based on the individual’s explicit consent.
This is considered in more detail below.
Ensure that you have a Lawful Basis for Profiling or Automated Decision Making
Employers or recruiters, as Data Controllers, will need a lawful basis for profiling/automated decision making. According to the GDPR, a lawful basis can be one of the following:
- Consent of the Individual – Remember that in the context of an employment relationship, there is generally an imbalance of power, so an employee cannot generally give valid consent. You should therefore rely on other grounds. Further, explicit consent is likely to be required for significant, solely automated decisions.
- Legitimate Interests – This can include business interests, or other commercial interests, but the recruiter or the employer still needs to ensure that individual rights are fairly balanced.
- Necessary for compliance with a legal obligation – for example in connection with social security or tax declarations.
- Necessary for Performance of a Contract – Care should be taken when relying on this ground, and it is a clause that you should consider including into your templates. In a recruitment or employment context, the contract could be a staffing / placement agreement or indeed a traditional employment contract.
Respect Fundamental Rights and Freedoms
Due to the significant risks to the fundamental rights and freedoms that automated profiling can cause, you should ensure that any processing is fair and transparent for candidates or employees. This means that you should consider:
- Providing meaningful information about profiling to candidates and employees, including details related to the logic involved, as well as the significance of the profiling and the envisaged consequences;
- Making sure that you use appropriate mathematical or statistical procedures for profiling;
- Implementing technical and organisational measures which allow you to correct or reduce the risk of errors;
- Ensuring that personal data is not processed in a discriminatory way (for example, by rendering such data anonymous for profiling purposes);
- Not keeping personal data for any longer than is necessary.
Indeed the GDPR Working Party in its October 2017 guidance advised that:
Organisations must find simple ways to tell the individual about the rationale behind or criteria relied on to reach the decision. The information should be meaningful to the individual, but this may not necessarily involve including complex explanations of algorithms.
It is also worth pointing out that automated profiling decisions should generally not be taken in respect of a child (although this is unlikely to affect the vast majority of recruitment agencies and employers).
Data Belonging to Children
However, if you are to process or profile a child’s data, you should ensure that any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.
Sensitive or Special Data
It is also important that the following characteristics do not form part of any profiling operation:
- Racial or ethnic origin;
- Political opinion;
- Religion or beliefs;
- Trade union membership;
- Genetic or health status;
- Sexual orientation; or
- Data relating to criminal convictions and offences or related security measures.
These categories of personal data are known as “Sensitive or Special Categories”.
Unless you have rendered the identification of the individual impossible, or you have obtained the individual’s explicit consent, the above bullet points are a no-go area.
Data Protection Impact Assessments (“DPIAs”)
According to the GDPR Working Party, a DPIA “enables an employer or recruiter to assess the risks involved in automated decision-making, including profiling”.
Indeed, using a DPIA is a way of showing that sufficient measures have been considered and implemented to manage the risks and demonstrate compliance with the GDPR and the regulation specifies that it is compulsory to carry out a DPIA in the event of automated decision making or profiling.
Contents of a DPIA
A PIA should contain specific information, and so it is often useful to seek advice from a GDPR expert or lawyer to make sure your templates are fit for purpose. For example, the GDPR says that a PIA should include:
- A description of the processing operations; the purpose of your processing activities; the ground for processing (e.g., consent or legitimate interests, etc…);
- An assessment as to why the processing is required and whether this need is balances the aim you wish to achieve, on one hand, and privacy rights, on the other;
- An assessment of the risks to individuals, such as staff or candidates; and
- A summary of the measures that you have put in place to reduce or eliminate risks of non-compliance.
As we have seen, the use of automated decision making and profiling is not without risk. Compliance is therefore important, not only to avoid exposure to the GDPR sanctions (i.e., €20 Million or 4% of your global annual turnover), but also in a more practical sense, so that you can keep the trust of your employees, candidates and clients – as well as maintain your corporate image and reputation.
If you have any doubts as to your use of profiling, it is always worth seeking advice from a GDPR consultant or Data Protection lawyer, or specialised recruiter who will be able to assist you in your compliance projects.
This note is for guidance only and does not constitute definitive legal advice.