The last thing you need as an IT leader is unexpected and uncontrollable surges in demand on your systems. As the former chief information officer of Egg, the online bank with about four million customers, I have been on the receiving end of sudden, overwhelming surges in customer activity.

This can literally bring crucial parts of your organisation grinding to a halt. And this is exactly what IT directors may face in the near future as consumers increasingly become more assertive about having access to their personal information.

In a survey in January by the Information Commissioner’s Office, 56 per cent of UK consumers said they are concerned about how their personal information is being handled. More than half of consumers want to know who holds it, why they are holding it and what decisions are being made with it. And in the UK, we have laws that give consumers real power to find this out. Under the Data Protection Act there is a powerful tool known as a ‘subject access request’.

A subject access request is a demand from an individual to an organisation, in writing, asking what ‘personal data’ the organisation is processing about them, how it is being used, and, unless exemptions apply, giving them the right to receive a copy of that information.

The request can be broad or narrow. I can ask you to tell me everything you hold about me or I can ask you to give me a copy of the email that you sent to the chief executive about me on 21 January 2004. Your organisation has 40 days to respond and if the Information Commissioner gets involved, failure to release information after an enforcement notice can result in personal fines and even a criminal prosecution, adding to your woes over possible negative media attention.

Your organisation probably has procedures in place to deal with these occasional requests. Usually the first point of call is the legal or compliance team – not usually the most customer-friendly part of your organisation. Sometimes the consumer gets so fed up with requests for clarification from the organisation they do not bother to pursue their request. Often, most organisations usually find a way of responding to the one-off request with some personal data within the deadline.

But consider a different scenario. Online consumers are becoming used to a different type of relationship with companies. We know our rights and if we want something we fire off an email and demand it.

So it is easy to imagine a scenario whereby a news story, say, or a revelation in an influential blog, results suddenly in 10 per cent of your customers hitting you with subject access requests. Now things get interesting. You are a major retailer and 5,000 employees email the HR department on a Monday morning with subject access requests. You are an online dating site and one million of your 11 million customers email you subject access requests on the same day. Is this the digital age equivalent of a run on the bank?

Most organisations have dealt with the individual ‘subject access request from Hell’, but I don’t know of a single UK company that is geared up to respond to a deluge of requests.

Yet I can see it coming. I firmly believe that as a consumer I have as much right to see my personal information and understand what you are doing with it as you do to hold it.

And I want you to make it easy for me to access that information. If all my friends and I decide to act at the same time, that is your problem, not mine. You have to figure out how to respond.

The answer lies in automation. Your ability to ‘publish’ personal data to the person who has a right to see it, and to collate information from across the organisation in a way that you have not needed to in the past, is key.

Integrating well-structured databases across an organisation is hard enough, integrating all ‘people data’ is a huge challenge. But in a world of mass subject access requests you may not have a choice. Semantic web approaches may have something to offer here, lightweight techniques designed to bring together disparate data sources with a shared meaning and re-publish them in a standard way.

So, why does this concern you? Isn’t this a matter for the legal and compliance team? You know as well as I do that when the Audit or Risk Committee meets to consider these scenarios, all eyes will turn to the IT director with the same question: ‘So, what are you doing about it?’ cb

Tom Ilube is chief executive of Garlik, a startup company to help consumers manage their online personal information.