zlacker

>>grabeh+(OP)
This doesn't consider some factors that dictate how strong any company will experience their firehose of GDPR requests to be:

- how incentivised people are to make GDPR subject access requests of the company (how angry, confused, hostile curious they are)

- how easy it is for them to make requests (entirely manual vs. online service)

- wildcard factors (internet flash mobs bent on vengeance against a corporate)

There are also possible business models that might incentivize technology players to deliberately ramp up GDPR requests.

For example, unsuccessful candidates applying for a job at a company could forward their rejection email to a bot. The bot parses the details and fires a GDPR access request in to the HR department. The candidate gets back a formatted dump by email of all sorts of recruitment data, including interview notes, etc. There are obvious ways to monetise a service like this, hence incentive for someone to do it. Recruitment at a large company means engaging with thousands of people and then rejecting them. It is natural for people to have bruised feelings, and also to be curious about why they were not hired. A GDPR button lets them indulge their curiousity and start digging in to interview notes etc.

Naturally GDPR requests like this won't flood a company on the first day of GDPR. But the internet is a turbulent place.

>>abraae+K2
I agree, and there seems to be a lack of conversation around this! Next week could be ground-zero for all sorts of unintended consequences. Especially, a flashmob of GDPR requests could sink a company.

>>Anabee+U2
I was thinking a solid new business plan is to register gdpr.me (or whatever) and offer a service. $40, fill out a form, and I will send a GDPR request to every company in the world on your behalf. The data coming back is then offered back to you with the ability to create further requests (deletion for example) selectively or in full.

This seem explicitly allowed for in the law.

>>phelev+o71
(1) the service is not explicitly allowed for because data subjects (and not data processors acting on their behalf) would be the ones to file such requests.

(2) you would be filing a lot of requests to companies that have no data in the first place and which you could reasonably have known about had you queried the data subject.

I see such a service as acting in bad faith and would file a complaint against you and your service if such a frivolous request would land in my inbox. Better hold on to the $40, you might need to spend them on a lawyer.

But kudos for trying to see the GDPR as an opportunity, now try to do so in a more constructive way. And - funny - you would be mailing yourself since you would be sure to hold PII on the party making the request in order to be able to authenticate the request as being a genuine one, which in turn would make you required to be in compliance.

>>jacque+9b1
You could maybe provide your users with a pre-filled request form for various companies they indicate they're a customer of, and have them send them directly.

IIRC there are services along those lines for various 'contact your $REPRESENTATIVE' political and activism lines. I vaguely recall something about how the US has specific laws allowing certain requests to be ignored (or maybe even criminalising the sending of) generated or form-letters, due apparently to this sort of abuse.

Can't remember what the exact context was that I saw it, but it might have been FOI or something data- related

>>shabbl+AA1
That sounds like a much better idea.

> I vaguely recall something about how the US has specific laws allowing certain requests to be ignored (or maybe even criminalising the sending of) generated or form-letters, due apparently to this sort of abuse.

Exactly, and it is abuse. There are so called 'mass letter writers' here in NL that keep on sending FOI requests and other letters to local government effectively DDOSing the services and they too can be - and have been - slapped down.