Organisations could be swamped with subject access requests under GDPR, warns IBM's GDPR expert Steve Norledge

PPI claims firms, activists and others could make subject-access requests en masse, warns Norledge

Organisations could be swamped with costly subject-access requests for personal data when the EU's General Data Protection Regulation (GDPR) comes into force in May 2018 - with organisations bearing the cost of collating the information, or risking legal action or fines from the Information Commissioner's Office (ICO) should they be unable to produce the data in time.

That's the warning of IBM's UK & Ireland GDPR lead Steve Norledge, presenting at Computing's IT Leaders' Forum in Manchester last week.

"I've heard from a number of IBM clients in the telecoms industry who are really worried that the legal firms behind the PPI claims industry will shift their business model to the GDPR and start flooding Facebook and Twitter feeds with adverts: 'Do you want us to do a subject-access request for you? If they can't serve it, we'll raise a class-action'," warned Norledge.

Indeed, one of the new measures that the GDPR will introduce, added Robert Bond, partner at law firm Bristows, is class-action lawsuits, which people may be tempted to resort to when an organisation suffers a security breach - and GDPR also introduces mandatory reporting when a security breach affects personal data.

"I think there will be an uptake [of subject-access requests] among a number of people," warned Norledge. "That means we will have to think about how we engage as organisations. What will the client experience be like? Are we going to make it easy or are we going to make it hard? Or, will we try to disincentivise people from making subject-access requests," said Norledge.

Activists, for instance, could target an organisation with requests en masse as part of a campaign, imposing bureaucratic costs on the targeted entity.

Fossil fuel campaigners could target oil companies, for example, while animal-rights campaigners could target pharmaceuticals, companies involved in food manufacturing, or even supermarkets.

Organisations that can respond to subject-access requests comprehensively and in a timely fashion won't just be better positioned to weather a possible avalanche of requests, but could also enhance their reputations, suggested Norledge.

"So, organisations that can create an intuitive, easy to use experience in terms of how they share transparency will really be able to built that trust with consumers," he added.

However, the issue might be compounded by many organisations not even knowing exactly where all the personally identifiable data it holds is kept.

At a Computing IT Leaders' Club last week, CIOs complained that the GDPR's definition of 'personal data' was so broad that it could encompass anything from the minutes of a meeting to the IP addresses of visitors to the corporate website. "The first legal cases will define what is and is not personal data," warned one of the CIOs, which was covered by Computing under Chatham House rules.

For more information about Computing's forthcoming events, please visit our events website.

Next IT Leaders' Forum: Data Strategy - Building A Framework For Success, Wednesday 21 June

Next IT Leaders' Club: Software licensing and cloud - beware the expensive shortcuts, Thursday 22 June