SARs Attack

Could you cope with an outbreak?

We’re not talking SARS here, the deadly viral respiratory illness, but the equally threatening mass SAR (Subject Access Request) that could seriously test your GPDR credentials and damage the reputation of the organisation. Similar to a DNS attack, a wilful group could instigate a sizeable number of requests to be made simultaneously by your customer base, sending your data handling systems into overdrive.

Here’s a reminder if you’re processing someone’s personal data, that they have the right to ask you for the following under Article 15 of the GDPR:

1. A copy of the personal data undergoing processing
2. Purpose of processing
• In particular, if automated decision-making or profiling takes place, and if so, the logic involved, significance and likely consequences of such processing
3. Categories of data processed (e.g., name, address, online browsing behaviour)
4. Any third-party recipients of this personal data, both backward or forward looking, especially recipients in third countries (i.e. countries outside of the EU)
• What safeguards are in place to protect the data being transferred
5. Any third-party sources of data subject’s personal data (i.e. not collected from the data subject directly, for instance by purchasing said data from another source that previously collected the data directly)
6. How long such personal data would be stored, or if that’s not determinable, how the length of this period would be determined
7. The existence of the rights to:
• Rectification
• Erasure
• Restriction of processing
• Objection to processing
• Complain to a supervisory authority

Now multiply that by a thousand per day for instance and you get the sense of the threat. Of course the likelihood of that happening is remote, but the risk of huge financial penalties under GDPR for failing to provide that information speedily, at no charge, means you can’t not be prepared.

The better the systems you have in place to deal with such requests and the quality of the data you hold will mean your organisation shouldn’t catch a cold if an outbreak occurred.

If you’d like a second opinion that your organisation’s data strategy is in good health why not talk to a specialist like Agile Solutions. You can find out more here.