A GDPR risk?

With the deadline to achieve compliance fast approaching, the GDPR is going to present a number of opportunities and challenges to businesses.  One potential loophole however, could prove to be a massive risk to companies following the implementation of the GDPR on the 25th May.

Under current legislation, organisations are typically able to charge a fee of up to £10 when complying with a subject access request (SAR), but under the incoming rules an individual has the “Right to Access” – the right to know what data a business may hold relating to them – and the company can make no charge if this is the first request from the individual.  This change is obviously beneficial to the public who undeniably should have the right to know what is held about them and by whom.

But what if this change in legislation is abused?  Theoretically, a group of like-minded individuals could co-ordinate and present several hundred (or thousand) SARs to one organisation simultaneously and at no cost to themselves.  This could result in a significant amount of man hours, resources and money being expended to comply with the new regulations which state that SAR requests should be responded to within 30 days.

This potential threat is akin to the Distributed Denial of Service (DDoS) attacks that frequently occur in the digital world, and it is feasible that such an attack could cause irreparable damage to a business.

Of course, such an event does not have to be deliberately enacted – if a company suffers a data breach that makes headlines, and the media suggest conducting a SAR to see if you may have been affected, would even the largest organisation be able to sustain such a volume of requests?

A very similar issue is highlighted by a recent poll carried out by independent media agency the7stars.  They found that 34% of the 1000 British consumers surveyed plan to exercise their “Right to Erasure” when the GDPR is formally implemented.

The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.  It does not provide an absolute ‘right to be forgotten’ however, and individuals have a right to have personal data erased and to prevent processing in specific circumstances only.  Although there appears to be a disparity in what the public believes this means and what this right actually means, the reality is that a number of businesses could be swamped with these requests that would all require further investigation in some form.

Of course, at present these risks are entirely theoretical, but it may be time to consider how your business stores and handles data, and how easy it is to retrieve and present that data when required.

At Security Watchdog, we have a team of GDPR specialists who can advise on issues such as these, and assist in ensuring that your business achieves and maintains compliance under the new regulations.