In addition to the increase in requests, complaints relating to subject access requests are on the rise, with the Information Commissioner’s Office (ICO) receiving 2,102 complaints under “Article 15- Right of access” in July to September of 2024 alone, with a further 1,806 relating to data subject access.

Many organisations trust services developed with the use of AI to complete SARs. These services provide a quick, affordable and often low-input method of filtering large amounts of information to find the specific data requested and provide a suitable response.

Whilst these services provide a cost-effective way of completing subject access requests, often at quick speed which aids meeting the required deadline, there are many issues that could prove costly when relying on them entirely.

Using AI to manage subject access requests can present several potential dangers if not implemented and monitored properly. These include:

1. Privacy Risks

The biggest and most obvious concern is that of data misuse: Providing AI systems with sensitive personal data to process may inadvertently lead to exposure or misuse of that data, especially if the system is not carefully monitored or lacks proper safeguards.
Redaction may not be complete or correct: Trusting AI to properly redact all the relevant and correct personal data before processing or sharing it may end up in data breaches or accidental disclosure if not diligently checked by human involvement.

2. Bias and Inaccuracy

Unintentional bias due to AI methods of training: AI systems may introduce or amplify biases, especially if the training data includes biased or unrepresentative information. This could result in unfair or discriminatory processing of SARs, potentially impacting marginalised groups or resulting in incorrect grouping of information.
Another relatively obvious risk is data misinterpretation: AI might misinterpret the context of a SAR or not fully understand the nuances of a request, leading to incomplete or incorrect responses. This could violate privacy rights or lead to legal complications, including data breaches.

3. Lack of Transparency

Transparency of the decision making: AI-driven systems can make it hard to trace how a decision or action is made. If an individual’s SAR is handled by AI, it could be difficult to provide a clear explanation of how data was processed, which is crucial under Article 12 of UK GDPR (‘Transparent information, communication and modalities’).

4. Inability to Handle Complex Requests

There will always be limitations in AI understanding: subject access requests can sometimes be complex, requiring human judgment to determine what data should be shared, what can be redacted, or if the request is legitimate. AI may struggle with such decisions, often related to the application of exemptions or balancing the rights of the data subject with other legal requirements. This is often the case with subject access requests surrounding children or police involvement.

5. Security Concerns

Technical cyber security risks and vulnerabilities can be increased: If an AI system isn’t properly secured, it may become a target for cyberattacks. A breach could compromise the data and put sensitive personal information at risk, leading to costly consequences for the organisation, not least damage to the data subjects themselves.
Allowing AI to complete automated responses is risky: If AI systems generate automated responses without human oversight, it could lead to incorrect or incomplete disclosures, leaving the organisation again vulnerable to legal action.

6. Compliance Issues

Unintentional non-compliance with regulations: SARs are subject to strict timelines and legal requirements (UK GDPR requires a response within 30 days). Whilst the service may be quick, AI may not always be reliable enough to meet these requirements or interpret evolving regulations correctly.
Another huge risk of AI is trusting the service to make accurate redactions: AI may fail to correctly redact sensitive information, such as third-party data or data covered by legal exceptions. Such an oversight may lead to costly data breaches and risk of reputational damage, or at the very least, a complaint to the ICO which can and often does result in further action.

7. Loss of Human Oversight

Over-reliance on AI: Using AI without human oversight could lead to a situation where errors are not noticed, important details are overlooked or complicated requests are incorrectly managed. Human judgement remains essential for legal compliance and ethical considerations.

Minimising risks to subject access request management through AI is challenging. A lot of trust needs to be placed in organisations setting up the AI systems that the service is correctly set up and has appropriate information to adequately and reliably complete the request.

If organisations choose to implement AI to complete SARs, these should be done with absolute robust security and privacy measures and should be regularly audited to ensure full compliance with regulations, as well as checking they are still functioning correctly.

The most effective method of avoiding risk to completing SARs is to avoid AI altogether. Given the risks involved, AI is not, and will never be, a process BLS Stay Compliant will involve when managing subject access requests.

Instead, we dedicate several team members and many hours to every subject access request we receive, in order to ensure absolute certainty that all redaction has been completed correctly, the data is secured and correct and apply full transparency in completing the request.

We receive many SARs every month and all our requests receive the same, reliable and diligent care as any other. Our team are well versed and expertly trained in all manners of data protection, therefore complicated requests are managed in the same way as simple, basic requests.

Whilst our subject access request service is often included as part of a managed service, we are also able to complete SARs on an ad-hoc basis, suiting either larger organisations who may wish to offload this work to us on a permanent basis or smaller companies who receive very few SARs and therefore only need assistance on occasions.

If we can assist you with your subject access requests, please just get in touch.

Data Protection Officer

Advanced Data Protection Officer

Data Protection (GDPR) Overview

Data Protection Impact Assessment (DPIA)

Subject Access Requests & Redaction (SAR Training)

Subject Access Requests Workshop (Advanced)

Authorisation & Oversight for Senior Officers

A Practical Approach for Enforcement Officers

Caldicott Guardian Training

Advanced Caldicott Guardian

Senior Risk Owner Training

Advanced Senior Risk Owner Training

Safer Recruitment

Information Asset Owner

Freedom of Information & Environmental Information Regulations

Board Briefings / Senior Staff Training

Marketing, Fundraising & Data Protection

GDPR Audit

DSP Toolkit Audit & Support

Physical Security Review

Data Protection Impact Assessment

Policy Creation & Review

DPIA Assessment & Support

Freedom of Information Requests (FOI)

Incident & Breach Management

Subject Access Requests / Redaction

DSP Toolkit Guidance / Assurance

Managed Data Protection Service (DPO)

Managed Caldicott Guardian (CG)

Information Sharing

BLS Stay Compliant

News and Information

Helen Clifton

The dangers of using AI to manage subject access requests

1. Privacy Risks

2. Bias and Inaccuracy

3. Lack of Transparency

4. Inability to Handle Complex Requests

5. Security Concerns

6. Compliance Issues

7. Loss of Human Oversight

Share this post

More News

Upcoming Open Courses

Marketing, Fundraising and Data Protection Sold Out

RIPA for Local Authorities – Authorisation and Oversight for Senior Officers Sold Out

RIPA Training: A Practical Approach for Enforcement Officers Sold Out