- how incentivised people are to make GDPR subject access requests of the company (how angry, confused, hostile curious they are)
- how easy it is for them to make requests (entirely manual vs. online service)
- wildcard factors (internet flash mobs bent on vengeance against a corporate)
There are also possible business models that might incentivize technology players to deliberately ramp up GDPR requests.
For example, unsuccessful candidates applying for a job at a company could forward their rejection email to a bot. The bot parses the details and fires a GDPR access request in to the HR department. The candidate gets back a formatted dump by email of all sorts of recruitment data, including interview notes, etc. There are obvious ways to monetise a service like this, hence incentive for someone to do it. Recruitment at a large company means engaging with thousands of people and then rejecting them. It is natural for people to have bruised feelings, and also to be curious about why they were not hired. A GDPR button lets them indulge their curiousity and start digging in to interview notes etc.
Naturally GDPR requests like this won't flood a company on the first day of GDPR. But the internet is a turbulent place.
(simplified)
* You need to have a data processing agreement with the Saas company X.
* You need to tell candidates in your privacy information that you send data to X
* You need to make sure X is properly implementing the data processing agreement (currently not clear how you do this except using e.g. PwC to review X)
If you have the data, you need to tell the candidate what you do to protect it, backup it, restrict access to it etc.
(also if e.g. the talentpool feature is provided by LinkedIn based on LinkedIn data you're not responsible under the GDPR, only if you sent data to X or X collects data on your behalf e.g. in a web form)