Data Protection Bill

Written evidence submitted by David Burns (DPB01)

Dear Sirs,

I welcome the opportunity to comment on the Data Protection Bill and would like to particularly highlight a potential anomaly in respect of automated processing covered by Article 21-22 of GDPR and Clause 13 of the Bill - Automated decision making authorised by law - safeguards.

Within regulated financial services companies, there is a legal obligation to ensure that financial transactions are not carried out with people subject to sanctions. Where a data subject is found to be subject to sanctions, financial companies must notify the Office of Financial Sanctions Implementation and

· stop dealing with them

· freeze any assets they're holding for them

Many c ompanies use automated decision- making processes to determine if an individual is subject to sanctions (eg GB Group provide such a system). Such processes fall within GDPR Article 22(2)(b) and not (a) or (c). The decision falls within the definition of a 'qualifying significant decision'.

Under clause 13. the Bill states that individuals must be notified in writing where a decision has been made which is based solely on automated processing. However, in the case above, this could create a conflict and prevent assets from being frozen. 

Though this gives the individual the opportunity to challenge inaccurate data or unfair decisions, I believe the case described above highlights an issue and may cause unintended results. It is true that the individual must be notified 'as soon as reasonably practicable' but it may be useful to consider further exemptions to the notification obligation requirement. Others may have similar situations they may highlight.

Yours faithfully,

David Burns

Data Protection Officer

March 2018


Prepared 12th March 2018