Can GDPR implementation be weaponised and used against a company?

It’s estimated that only 60% of European businesses are prepared for GDPR when it comes into force on the 25th May. This figure drifts significantly lower when countries outside the European Union are taken into consideration. Fines are the most obvious concern for businesses, but there is a more insidious menace to be considered — how GDPR may be used maliciously against a company.

Many organisations believe that GDPR doesn’t affect them, but they’re probably wrong. Even a one-man operation working out of Timbuktu has to comply with the GDPR if they are handling an EU citizen’s data. Others believe that they will have time to “work things out” before regulators take a tough stance. However, given the Information Commissioner’s Office’s recent level of fines, it’s a risky stance.

But the regulator isn’t the only one waiting for the clock to strike midnight on May 25th. There are a few others waiting in the wings preparing to take aim at businesses. The most obvious threat will come from activists who will encourage their members to bombard target organisations with requests for information.

>See also: Can programmatic survive GDPR?

Having to suddenly investigate and reply to a large number of requests within 30 days will not only take up a vast amount of resources, it will highlight the weaknesses in many organisations’ strategy to comply with GDPR.

Most companies hold data in disparate databases. Some use legacy email archives to turn all electronic communications into email for storage purposes, while others just take snapshots of social media exchanges. Searching for a named person and their associated online identities will involve not just one search but several, possibly tens of searches, to ensure every piece of information is found, right down to a Direct Message (DM) sent over Twitter.

Even once all the searches are complete it still needs to be correlated to either send to the person and/or determined whether or not it can be deleted, or if indeed another regulation overrules GDPR. The Information Commissioner’s Office says it is possible “to extend the period of compliance by a further two months where requests are complex or numerous”, but businesses will still need to comply.

If they refuse “they must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.”

With a simple request to their members, activists will be able to cause disruption and financial loss to businesses with minimal effort by ensuring that vital resources are redirected into dealing with information requests in order to comply with GDPR.

This same effect is also likely to be seen just at a time when businesses need it least, such as when making a public announcement about a data security breach. “Helpful” news outlets will recommend that readers, viewers, and listeners contact the company concerned and request what information is held about them.

>See also: AI leaders warn of ‘killer robots’ in letter to United Nations

And just as has been seen in the US with the Freedom of information Act, online sites will pop up offering to send standard letter requests to any number of major service providers, banks, supermarkets, and retailers for just a few pounds.

The first request for information is free, so the cost to the online site is minimal with potentially huge returns. Particularly as people start to remember all the companies they used to use and now hold a grudge against, and see taking action simply as a little sporting fun or purely out of curiosity. GDPR is just the beginning.

Just as countries outside the EU must comply, other countries will soon demand the same of regulations designed to protect their citizens. Now is the time for organisations to consider how to add visibility and transparency to their data infrastructure.

Streamlining how data is archived, storing it in its native format and enabling easy retrieval of conversations in context will allow businesses to not only defend themselves against the malicious use of GDPR, but also improve efficiencies in other critical areas such as eDiscovery.

Sourced by Shaun Hurst, subject matter expert at Actiance

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...