Firms rocked by barrage of ‘weaponised’ data requests

data requests 2Fears that GDPR would trigger a mass bombardment of data subject access requests (DSARs) appear to have been realised, with some organisations being forced to handle more than 500 a year, triggering accusations that many requests are needless, vexatious and even weaponised.

That is one of the key findings of the Privacy Pulse Report, compiled by the Data Protection Network and sponsored by Exterro, which quizzed UK data protection and privacy chiefs to gauge the opinions gather the views of the community and find some shared truths about working in the sector.

It reveals that the majority of respondents had received multiple DSARs over the past year, 20% had received up to 50, 12% up to 200, 7% up to 500 and 9% in excess of 500 during the period.

The report highlights that there have been “alarmingly large volumes received by some organisations”, and goes on to explain that while some were due to the sheer scale of the organisation, others were the result of “weaponised” requests via third party portals, such as Saymine and Privacy Bee.

As far back as July 2017 – ten months before GDPR came into force – a poll of UK adults by SAS showed nearly half (48%) were planning to activate new rights over their personal data, including forcing firms to reveal what data they held on them.

Overall, the DPN study shows majority of DSARs have been received from customers, although the report notes that employee-related DSARs can be the most difficult to handle.

And, it seems, the challenges of dealing with this onslaught are manifold, including being able to recognise a DSAR within the organisation, accessing all systems across the business, complex HR requests, the inclusion of email in searches and deciding what to redact and how to do it.

One information governance manager working in the public sector said: “DSARs are a nightmare, along with Freedom of Information requests. It seems there is always an ulterior motive, and I don’t think many people are actually interested in a copy of their personal data, they want to find something incriminating.”

Another respondent, who works for a charity, added: “Vexatious requests can be very onerous. Controllers need broader scope for rejection and to refine down the scope, plus criteria for when they can charge. In my view, the Information Commissioner’s Office should focus on helping controllers to manage complex and vexatious DSARs.”

Elsewhere, the report confirms what many in the industry have known for a while, that data breaches are now endemic.

Some 68% of organisations say they have suffered a data breach in the past year, although the severity varies enormously and a look at the breaches received and classified by the ICO shows it can extend from accidental disclosures, use of incorrect email recipients, through to large orchestrated phishing attacks.

But rarely have organisations suffered a single breach, for many the volumes are higher, and over 40% of respondents had experienced 11 or more.

Nearly half of respondents had also reported breaches to the ICO (or other data protection authority) in the past year.

Extrapolating ICO figures, which show a total of 9,921 breach incidents were reported to the regulator in the 12 months to June 2021, the report calculates there were near to 20,000 breach incidents in UK during that period, although questions whether there has been an element of over-reporting out of an abundance of caution.

A full copy of the report, which also covers team size, the adoption of technology, training and development and the thorny issue of data protection impact assessments, is available from the DPN website> 

Related stories
DPN guide aims to tackle thorny issue of data retention
Former Opt-4 team relaunch Data Protection Network
DPN joins calls for more urgency over GDPR guidance
GDPR zero hour: Now the hard work begins say experts
Data deletion tsunami claims blown out of the water
Fears grow as ‘millions plan to delete data under GDPR’
Firms face bombardment of data requests under GDPR