Katie Simmonds🤖 The Bill reinstates the limitation on the restriction of automated decision-making to only those decisions based partly or wholly on special category personal data. The financial services sector has been an early adopter of AI tools and automation within its client-facing solutions, so this would extend the ability of organisations to utilise automated decision making. It will be interesting to see how this progresses through parliament and how this links with data subject’s right to request ‘meaningful information about the logic involved’ in automated decision making.
❌ The Bill has not adopted the idea of changing ‘manifestly unfounded and excessive’ to ‘vexatious’, meaning the current exemptions are likely to remain in place. The GDPR and surrounding guidance has always been clear that DSARs should be ‘motive blind’, so while changing the exemption here may have been a helpful tool, it would certainly have required more guidance for organisations to ensure they’re balancing data subject rights against the challenges of responding with troublesome/challenging DSARs.
đź’ˇ The Bill codifies the ‘reasonable and proportionate search’ obligations, that are currently only set out in data protection guidance. This will be super helpful in situations where data subjects are demanding that financial services organisations undertake extensive and unreasonable searches.
âť“ There is an unusual provision in the Bill that essentially enables the Secretary of State to create and pass regulations requiring data controllers to notify the regulator of the number of complaints they have received. Â It is unclear what sort of notification threshold would apply here, but this will be relevant in a DSAR context where DSARs are connected to wider data protection complaints/issues.
Our end-to-end DSAR solution – WBD Clarity – led by Amy Prime is a brilliant tool to help navigate large volumes of and/or complex DSARs.