Even today, using data for a purpose for which the individual gave no explicit permission is risky. Witness "NHS illegally handed Google firm 1.6m patient records, UK data watchdog finds".

It only gets more complicated when combinations of algorithms, machine learning and AI analyse "Big Data".

With GDPR it is no use using a defence that " It was the algorithm wot did it, not me guv!" 

Whatever decisions were made automatically must be auditable and using data that expressly has the agreement of the data owners to be used in that way. Customers which demand access to and ability to correct or redact data involved in AI will cause a few headaches!