Subject access requests (SARs) are nothing new. For a small fee, data subjects can request a copy of their personal information and in so doing force the controller to consume both time and resources for no real benefit. But this occasional headache could transform into a fully-fledged migraine with the arrival of the General Data Protection Regulation (GDPR).
GDPR rewrites the rules regarding SARs. The fee is waived, supplementary information must be included, the timeframe for responding is reduced and fines for non-compliance are draconian (the higher of €20m or 4% group revenues). In short, SARs are likely to become prevalent and must be taken seriously.
Many businesses will need to review their workflows and systems to ensure that they can manage an influx of SARs on a timely basis. Sourcing and delivering significant quantities of sensitive data is a challenging task, especially where there are no automated processes.
The requirement to supply ‘supplementary information’ may sound innocuous but it has the potential to trigger changes to core business processes. This catchall term addresses how the data was sourced, how it was used and whom it was shared with. As a result, it may force businesses to expose information never intended for public consumption. For example, few data subjects understand how their personal data is used or how they are profiled and segmented; when confronted with the truth, they may not like what they see. The risk here is clear – hard won customer trust may evaporate in the blink of an eye as negative social media posts go into overdrive.
There are also some indirect consequences that need careful consideration. Firstly, this information represents a potential goldmine for cybercriminals so its security should be an important consideration for the controller even when it is beyond the fringes of their security perimeter. Secondly, these rights have the potential to be “weaponised” – imagine coordinated requests coming from 10,000 individuals at the same time. A coalition of data subjects could legally use SARs in much the same way as cybercriminals use Denial of Service (DoS) attacks – bombarding a business with requests until it’s overwhelmed. In effect, SARs could become a new form of legal protest with devastating consequences.
Of course, all the risks introduced by GDPR can be managed and businesses still have time to prepare for the arrival of the Regulation. trust-hub can provide you with the tools you need to get started. Book a demo now and take control.