- how incentivised people are to make GDPR subject access requests of the company (how angry, confused, hostile curious they are)
- how easy it is for them to make requests (entirely manual vs. online service)
- wildcard factors (internet flash mobs bent on vengeance against a corporate)
There are also possible business models that might incentivize technology players to deliberately ramp up GDPR requests.
For example, unsuccessful candidates applying for a job at a company could forward their rejection email to a bot. The bot parses the details and fires a GDPR access request in to the HR department. The candidate gets back a formatted dump by email of all sorts of recruitment data, including interview notes, etc. There are obvious ways to monetise a service like this, hence incentive for someone to do it. Recruitment at a large company means engaging with thousands of people and then rejecting them. It is natural for people to have bruised feelings, and also to be curious about why they were not hired. A GDPR button lets them indulge their curiousity and start digging in to interview notes etc.
Naturally GDPR requests like this won't flood a company on the first day of GDPR. But the internet is a turbulent place.
I have. There's no way we will be deleting interview notes the moment a candidate is rejected. For one, we have to be able to prove later that we didn't reject based on grounds of discrimination (other regulations). But you also need the ability to review what your interviewers are doing to ensure consistency and quality of assessment. We also go back and re-read interview notes if someone doesn't make it through probation or gets fired, to see if we could have picked up on the issue earlier.
But hey GDPR defenders, here's a question to ponder. I have argued above that I legitimately need interview notes for the operation of my business. If you disagree, what makes you so sure your interpretation is correct and not mine? Don't you think it'd be good if we could resolve this disagreement in some clear way, like if the law itself spelled it out?
> I have argued above that I legitimately need interview notes for the operation of my business.
That's the point. You're keeping data to comply with a law (Equality laws) or for legitimate reasons, and so you don't need permission and you don't need to delete it when asked.
https://gdpr-info.eu/art-6-gdpr/
> Processing shall be lawful only if and to the extent that at least one of the following applies:
> processing is necessary for compliance with a legal obligation to which the controller is subject;
> processing is necessary in order to protect the vital interests of the data subject or of another natural person;
> processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
> processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Any of these would suit.