GDPR will see firms 'flooded' with data requests

Companies will see an upsurge in personal data requests under General Data Protection Regulation (GDPR) rules, as high profile cyber security breaches become more commonplace, a data privacy expert has warned.

Speaking at a panel discussion at London's IP Expo 2018, Kevin Kiley, vice president of sales and business development at OneTrust, said: “I think we will see organisations struggle with data subject rights.”

He predicted that in the coming year, companies would find themselves “swamped” by requests from customers or ‘data subjects’ to hand over the financial and personal data held on them as they exercise their rights under the GDPR.

“This is going to be a big concern, some companies will be flooded with these. Data subject rights are going to be very painful and very expensive for a company managing lots of different data points,” he commented.

The situation could become more acute in the aftermath of a denial of service (DoS) attack or attempted data breach, such as the one that hit Facebook last week. Facebook said that the attack had left the data of at least 50 million users vulnerable before the breach was resolved.

If this were to happen to another firm, Kiley suggested customers would “suddenly go online, and make these requests” for their data. He said said firms needed to ensure they are prepared for the administrative and legal burden of complying with such requests within a calendar month, as stipulated by law.

In some cases, he suggested, larger firms could end up receiving tens of thousands of requests in short measure and would need to comply in order to avoid heavy penalties and sanctions from regulators.

Failure to comply with GDPR legislation could result in the Information Commissioners' Office (ICO) imposing a maximum fine of four per cent of a firm’s global turnover, or €20 million, whichever is higher.

In recent weeks, the Financial Conduct Authority (FCA) imposed a £16.4 million fine on Tesco Bank over failings to protect customer data during an attempted breach by cybercriminals in 2016, while the ICO fined credit ratings agency Equifax £500,000 in relation to a major cyberattack in 2017.

However, despite widespread concern over the impact of financial penalties relating to GDPR, Kiley argued that the most damaging sanction regulators could impose is the temporary suspension of data processing operations until customer data is secured, resulting in reputational damage and lost revenue for the company.

“Everybody talks about fines, but they also have the power to say that processing [of data] is so poor here, we can suspend you, shut down your website... that’s really their greatest weapon - it’s not the fines,” he suggested.

Kiley also echoed warnings from cybersecurity experts on the first day of the IP Expo, who said firms should prepare for the inevitability of a cyberattack, as criminals devise increasingly efficient methods to infiltrate networks.

“Something will go wrong,” he said, adding: “Everybody will be beached sooner or later.”

But he concluded that regulators such as the FCA and ICO would be primarily concerned about the prior steps taken by companies to defend themselves from attack when it comes to making a decision about penalties.

“[They will ask whether] you took the right steps, whether you informed the right people, whether you kept your audits up to date,” he concluded.

Related Articles