16 January 2018

GDPR could be used as a weapon against SMEs

The new General Data Protection Regulation (GDPR) could be used as a weapon against businesses by dissatisfied customers or protesters, says Collyer Bristow.

GDPR could cause business-critical issues for SMEs, according to law firm Collyer Bristow. Under GDPR, dissatisfied customers or activists could cripple an organisation, by inundating it with requests for personal data from large groups of people. Under the new regulations, businesses must respond to all of these requests – known as Subject Access Requests - within 30 days, with very few exceptions.

Dangerous for SMEs

The resulting mountain of data collection would be particularly dangerous for SMEs, who will have no dedicated teams or staff and limited resources for handling these requests. Currently, a business can charge a fee of up to £10, but that may provide some protection against most vexatious requests. It can also refuse to respond to a request if it would require “disproportionate effort” to deal with.  

ICO investigation

However, under GDPR there is no right to charge a fee in every case, and it will only be possible to avoid dealing with these requests if they are “manifestly unfounded or excessive”. The scope of this exception is likely to be interpreted more narrowly. Failing to answer Subject Access Requests under GDPR without a valid reason could result in an Information Commissioner’s Office (ICO) investigation, as well as serious, potentially damaging fines. Collyer Bristow says businesses must ensure they are ready for the potential strain on resources following the introduction of GDPR. In addition, the government must put on place safeguards to prevent GDPR being used as a weapon by activists.

Potent weapon

Patrick Wheeler, partner at Collyer Bristow, says: 'It won’t be long before protesters realise that using GDPR is a potent weapon and threat - especially to small businesses. Following GDPR, Subject Access Requests will become free for the requester in almost all cases and there will be a shift in the balance of power from businesses to their customers and clients. Businesses are entitled to and should take sensible steps which may reduce the burden. individuals can be asked to prove their identity through a passport or driving licence before being supplied with their data, and can ask for clarification where a request is particularly widely framed or complex. This may reduce the number of requests.'

Real damage

He added: If GDPR is weaponised successfully by protesters, the resulting influx of extra work could cause real damage to these companies. Firms must ensure they are absolutely ready for the new regulation, if they are to mitigate against this threat.'