Hopp til hovedinnhold
Go to front page
Back
Chapter 3 / Part 2 of 2 / Topic 4

Anonymisation, Profiling and Automated Decisions

Now you are beginning to get a good overview of what the GDPR entails—and everything you need to consider when processing personal data. It's perhaps not as daunting as you had imagined?
Before we conclude this chapter, there are some specific topics and issues that it can be good to know, which we will quickly go over here: anonymisation and pseudonymisation, profiling and automated individual decisions.

Anonymisation and pseudonymisation

A couple of important terms that you will soon come across in the context of the GDPR are anonymisation and pseudonymisation. What does this entail—and what's the difference?
Pseudonymisation means that the information can no longer be linked to an individual without additional information—not without a “key”. For example, all the names on a list are replaced with numbers, and you can no longer see who is who.
Anonymised information, on the other hand, cannot be linked to an individual at all. This is no longer considered to be personal data, and falls outside of the General Data Protection Regulation.
In practice, however, it is almost impossible to completely anonymise personal data in this way, for several reasons.
For instance, there may be copies of the dataset. Suppose you “anonymise” a dataset about patients as part of a course for medical students. The original dataset will still exist at a hospital or research institution, and it would therefore be possible to identify the individuals. The data could also potentially be combined with other datasets, making it possible to put two and two together and reveal the identity of the registered individuals.
Therefore, fully anonymised information requires a lot. But to the extent that you actually have genuinely anonymised data, they are no longer covered by GDPR.

Profiling

Profiling refers to the automatic processing of personal data in order to assess certain personal aspects of individuals. For example, profiling may aim to analyse or predict a person's work performance, financial situation, health, personal preferences, interests, reliability, behaviour, location or movements.
In practice, this typically involves a machine learning algorithm that uses available data to evaluate us, analyse us, or try to predict what we will be interested in and how we will behave in various situations.
This is typically used to deliver targeted advertising. But it is also easy to imagine the value (and potential for abuse) such profiles can have in relation to, say, loan applications, credit assessments and in political contexts.
There are many pitfalls here. The algorithms may be based on insufficient data and give unfair profiles that do not correspond with reality. Or discrimination may occur, such as two people being offered products in completely different price ranges.
Therefore, you must be sure that you have a solid legal basis for profiling. The law clearly states that if you develop automated solutions that produce results that are either obviously incorrect and unreasonable, or appear as such, this is prohibited. The use of automatic decisions can also in itself be prohibited, as we will see shortly.
If you are going to use some form of profiling, it is especially important that you provide good information about what you are doing and why, in such a way that you build trust with the user and let them see the value of what you are doing.

Automated individual decisions

The GDPR gives each individual the right not to be subject to an automated individual decision—that is, a decision based solely on automated processing. But again, there are exceptions.
So what does an automated individual decision entail? First of all, the decision must be made without meaningful human intervention, and secondly, it must be a decision with legal significance or a similarly substantial impact on us.
Suppose you go to the bank and apply for a loan. If the bank uses an algorithm to assess whether you should get the loan or not, and it is the algorithm alone that makes this decision, this would be an automated individual decision. If, however, it is a bank employee who says yes or no based on the algorithm's assessment, it is no longer an automated decision—because a human has the final say.
The second condition is that the decision must have legal consequences or a similar significant impact on us. What kind of loan you can get from the bank could be crucial for entering the housing market, for instance. Or if such algorithms are used by institutions like the Labour and Welfare Administration, it can decide whether you are entitled to receive welfare benefits. In both cases, these are decisions that will have significant and/or legal consequences.
So why do we need to understand what is considered an automated individual decision? Well, it’s because this is not permitted in principle, without a specific legal basis.
This can include profiling, but not necessarily. Suppose you are caught by two speed cameras on a stretch with section speed control. An algorithm is used to calculate the speed you have maintained, and can decide that you should receive a speeding ticket if you were driving too fast. The algorithm does not assess whether you are a good driver or not—it just assesses the speed of the car.