Everybody knows that when you are about to process data you need a Data Protection Impact Assessment. You may find throughout the WP29 guidelines, all the resources you need. But sometimes you may find difficult to theorize a real work situation. In this first article of a series dedicated to DPIA, we will go through 39 situations where a DPIA is needed. Let’s start with DPIA when processing data around artificial intelligence and machine learning.
When you are profiling, doing behavioral analysis and evaluation
Whenever you’re using data that may have a negative consequence for the person, be it legally or financially, it represents a central component when it comes to the DPIA. These documents are essentially needed whenever there’s a high risk to the rights and freedom of the individual from whom you’re collecting the information. You’ll see this theme repeated over and over again throughout the many examples listed here.
Profiling for the Purposes of Sending Spam
Sending a general message to everyone on your master mailing list or in a customer database does not count as a situation where you would need a DPIA. However, if you’re using specific information to profile, this would need a DPIA. So, if a bank makes a loan offer available solely to parents of millennials, this would count as profiling.
Profiling the Unemployed for the Purposes of Public Assistance
A job centre might reasonably profile the unemployed as a way to assess their eligibility for different public assistance programs. So instead of sending out one generic message to all unemployed persons about every program, the job centre might run the numbers and narrow down the list to only programs the individual is eligible for.
Profiling Credit Scores (Not Directly Related to Risk Assessment)
If a person applies for a car loan, this is a standard practice that doesn’t require a DPIA. If the same lender uses the individual’s credit score to send an unsolicited letter to inform them of their likely loan eligibility though, this would require a DPIA.
Profiling Lifestyle Choices for Potential Price Increases
Because prices have a direct impact on the individual, controllers need to be careful with how they use this data. For instance, a health insurance company asking personal questions to set rates for applicants, including how often they smoke or drink alcohol and if they engage in risk-taking activities.
Indirect Profiling Based on Groups
There are a variety of groups, such as teachers or civil service employees, who have access to benefits that are not offered to the wider public. For example, if a lender sends a letter to elementary school teachers in the area offering better rates than their competitors.
Automated Decision Making
There are a variety of automated systems today, many of which have financial or legal implications for an individual. These complex systems need to be evaluated with a DPIA both before implementing and regularly updated thereafter.
Monitoring Drivers on the Road
From red-light cameras to fast-pass lane detection, there are plenty of ways to monitor drivers today without the help of toll booth employees or police officers. A DPIA is meant to account for the protection of the drivers and the passengers. For instance, only taking photos of the offending driver rather than their sleeping children in the backseat.
Price-Setting Based on Past Purchases
If a homeowner purchases an outdoor sectional for their patio, they might receive an automated email the next day that advertises the matching pillows at a certain price. Because this price is a special offer made solely to those who have purchased the couch, this could warrant a DPIA.
Data Preventing the Subject from Using a Certain Service
There’s no doubt that data processing has an effect on the ways in which we lead our lives. Running a credit score can prevent a person from getting a loan and running a background check could prevent a person from getting a job. That being said, there are regulations placed on how this sensitive data can and should be used.
Consumer Credit Checks
All consumer checks used by financial institutions should complete a DPIA to ensure that the data is only being used for their client’s best interest. For example, a credit union determining loan terms should have a DPIA describing how it will use the data to determine its rates.
Pre-Contract Customer Checks
Contracts typically require customer checks before determining the specifics of the clauses. For example, a mobile carrier might use a customer check before fulfilling an advertised offer. As with the financial institution, the organization should have a DPIA in place to prevent confusion or potential unfairness based on the check.
If you are in one of those situations, running a DPIA should be a priority. On the other hand in this article, we covered only 9 situations related to artificial intelligence and machine learning. In the upcoming articles we will tackle the case of legal freedoms and scale and technology in which you need to run a DPIA.