- how incentivised people are to make GDPR subject access requests of the company (how angry, confused, hostile curious they are)
- how easy it is for them to make requests (entirely manual vs. online service)
- wildcard factors (internet flash mobs bent on vengeance against a corporate)
There are also possible business models that might incentivize technology players to deliberately ramp up GDPR requests.
For example, unsuccessful candidates applying for a job at a company could forward their rejection email to a bot. The bot parses the details and fires a GDPR access request in to the HR department. The candidate gets back a formatted dump by email of all sorts of recruitment data, including interview notes, etc. There are obvious ways to monetise a service like this, hence incentive for someone to do it. Recruitment at a large company means engaging with thousands of people and then rejecting them. It is natural for people to have bruised feelings, and also to be curious about why they were not hired. A GDPR button lets them indulge their curiousity and start digging in to interview notes etc.
Naturally GDPR requests like this won't flood a company on the first day of GDPR. But the internet is a turbulent place.
If your company can not show the candidates why they were not hired, you are doing a very bad job.
Are you discriminating against protected classes?
Are you rude or offensive in your comments?
Then, stop doing it. That will be a very good side-effect of this situation. Public scrutiny works. If a company needs to make public their interview notes, that notes are going to improve quality and abide to law.
> how strong any company will experience their firehose of GDPR requests to be
If you are big enough to have a big influx of GDPR, you need to automate it.
> how easy it is for them to make requests
It needs to be easy. The goal is not to let your company shield behind "sorry it is too complicated to give you the information". You need to give people easy access to their own data.
> wildcard factors
How is this difference of a Denial of service attack on the technical side? On the legal part, there are lawsuits that are going to be more effective than GDPR that starts with recommendations for improvement.
> The candidate gets back a formatted dump by email of all sorts of recruitment data, including interview notes, etc. There are obvious ways to monetise a service like this, hence incentive for someone to do it.
You only get the data about YOUR own interview. You can not hoard data this way. It works the other way around. The data protection is protecting you from the company monetizing this information without your consent. Companies are the ones hoarding YOUR personal data and creating a business around it without YOUR consent.
Your concerns are the main reason GDPR was created.