Many of us may feel that things have settled down regarding working within the rules of GDPR. We are all well drilled in knowing that we need to have made a conscious decision as to what lawful basis we are operating under for processing personal data.  

However, we mustn’t forget the requirement to be honest, fair and transparent at all times. And this means providing clear guidance on what we do with people’s personal data, including what profiling activities are taking place, and why.  

Firstly, if you’re doing any kind of profiling (even if the consumer is unlikely to know you are doing it) make sure your privacy policy mentions it – or you could be risking an ICO fine. 

And, it’s all too easy to think you have ‘legitimate interest’, but beware. Just like any other form of data that is being processed, you will need to determine if it is being processed under legitimate interest or consent. In most instances with existing customers or supporters, it will come under legitimate interest – unless you’re using special category data (such as health information), which is sensitive and therefore requires consent. But you still need to make it clear that the personalised communications you send to people are the result of this activity.  

It’s important information that should be provided at that point of data collection (or within a month afterwards) and should be included in your privacy policy. 

What’s more, remember that in the real world not everyone understands data speak, so this information also needs to written in a way that people can easily understand. This is where it makes sense to talk about using what you know about people to send them more personalised and relevant communications and offers that could be of greater benefit to them, rather than talking about ‘profiling’ and ‘targeting’. 

So, don’t be caught out! Make sure that any and all activity you carry out with people’s personal data – or might in the future – is clearly displayed on your website, in an easy to find privacy policy.