If you need HELP, SUPPORT or just have a GDPR question please call +44 (0) 208 133 2545 or email us at email@example.com.
Alternatively please visit our contact page
FREE GDPR Helpline
Call +44 (0) 208 133 2545
Articles 15-20, I am empowered, maybe too empowered?
There are a number of articles in GDPR that tell an individual that on the 25th May 2018 they have the right to request their data from an organisation that holds anything about them. These articles also say you have the right to delete or modify this data if you do not want them to have it any longer or you believe it is wrong. Once requested said organisation has 30 days to give you that data or make that change. How they will go about showing you they have deleted your data is beyond me.
Now this brings about an interesting situation; we have all seen petitions on social media. We have seen large groups of people be spurred on social media by events in the news. So what happens if enough people get together because of mutual dislike of an organisation?
Let’s take what happened midway through 2017 with BA. Lots of people were inconvenienced because of their system crash, this led to a lot of anger in their customer base. I am sure there is probably a thread on twitter or a group on Facebook called something like “British Airways haters anonymous”. It’s not beyond the realms of possibility that someone could get a large group of individuals together to all submit personal data requests. I know I do not just speak for myself when I say there are certain transport organisations in the UK that frustrate me a great deal.
The result of this could be tens of thousands of customers request their data in a day. This could be too much for an organisation to handle; should they fail to address all these requests they would be liable for a fine. And on a more practical note, even if they do manage to fulfill these requests the sheer volume of requests would cause havoc internally. Since working in the industry, I have seen three approaches to dealing with data subject access requests: Manual, semi-automated, and fully automated. There are very few companies that have deemed it necessary to go for a fully automated approach to deal with subjects exercising their rights, most of the time there is need for human intervention, and this slows down the rate at which DSARs can be dealt with.
So we could see groups being empowered to disrupt & take down organisations, I mean it isn’t beyond the realms of possibility, is it? There is nothing in the regulation that says this anarchistic behaviour is illegal…
“I am just exercising my rights man…”
If you ACTUALLY READ the regulation you will see that it says nothing of the sort. Organisations don’t have to comply with repeated or voluminous requests within the 30 day time-frame – they can notify the ICO about the situation. I politely suggest you stop talking out of your butt.