The Information Commissioner’s Office (ICO) has published updated guidance for organisations on how to use profiling tools as part of their trust and safety processes. Whilst principally directed at user-to-user services so that they can comply with both UK data protection law and the Online Safety Act 2023, the ICO states that the guidance also applies to “any organisations using, or considering using, these tools for broader trust and safety reasons”. 

The ICO explains that, for the purposes of the guidance, profiling tools are those trust and safety tools that use profiling (as defined in Article 4(4) of the GDPR) to analyse aspects of a person’s characteristics, behaviour, interests, or preferences. The guidance breaks down the four ‘key stages’ of such profiling tools (input, analysis, output, and application of output), each of which involves the processing of personal information, meaning that organisations deploying them must be able to demonstrate that the processing is both necessary and proportionate and that it complies with the data protection principles. 

The guidance sets out various ways that an organisation can demonstrate compliance with its data protection obligations, stating that it must consider (a) what personal information it plans to process, (b) whether it is necessary and proportionate to achieve its aim and (c) the risks involved and how they will be mitigated. It makes clear that the use of profiling tools often carries a high risk due to the likelihood and severity of potential harm to users, and therefore a data protection impact assessment must be carried out before such tools are deployed. 

There is also considerable guidance on how to ensure that profiling tools are used lawfully, fairly and transparently, as well as how organisations can ensure data minimisation and the accuracy of personal information. Importantly, it also addresses the implications of Article 22 of the UK GDPR, which limits the circumstances in which an organisation can make solely automated decisions that can have a legal or similarly significant effect on individuals. Profiling is explicitly identified as the sort of automated processing that Article 22 seeks to govern, and so the guidance provides advice on how to determine if a particular profiling tool would be caught by this provision, and what steps to take if so. 

The ICO is gathering feedback on its guidance until 31 October 2025. For more information, click here.  To read the guidance in full, click here.