By Brian Washburn 15 Nov 2019
As 2020 approaches, network providers continue to wrestle with industry transformation and competitive disruption.
The General Data Protection Regulation (GDPR) now being enacted throughout the European Union gives consumers new rights and powers regarding access to and use of their personal data by businesses. While those powers are intended for individuals, they create a unique opportunity for collective action.
Article 15 of the GDPR gives EU citizens the right to demand access to their personal data and a description of how it is being used. Upon request, the data protection officer of the company must provide an overview of the types of data being used, as well as a copy of the actual data, the purposes to which it is being put, who has access to it, and how it was acquired. This must be done within one month of receiving the request. Furthermore, Article 17 provides a right of erasure, meaning citizens can request erasure of all their personal data for a variety of reasons and can ask to never be contacted by that company again, barring a legitimate reason, such as execution of a contract.
On the individual level, these rights and requirements are harmless and work as the GDPR is intended: to provide greater control of privacy and security for EU citizens and their data. However, the legislation does not appear to consider what would happen if a large group of citizens were to coordinate their actions and make their requests at the same time. Subject data access requests cannot be ignored and are not supposed to be unduly delayed once received. The processing of these requests – a nontrivial task – can overwhelm a company's ability to comply, slowing its operations to a crawl in order to process them or subjecting them to significant fines if they fail to comply. In short, if enough people decide to act, they can effectively cripple a company, or at least some of its departments, by performing what is in effect a distributed denial-of-service attack.
Realistically speaking, it is unlikely that such a "consumer strike" will be at all common, as the effort required would probably be reserved for egregiously bad corporate behavior. There are enough cases where normal protests and boycotts have grown beyond a business's ability to tolerate, though, that such a scenario cannot be overlooked. Another consideration is that there does not appear to be any proof required on the part of the citizens that a company is using or accessing their data before they make a disclosure request, so mass actions can quickly grow to immense scope, whether they are based on legitimate complaints or not.
GDPR and the Critical Importance of Locating Personal Data, IT0014-003324 (August 2017)
"Fines aren't the only penalty awaiting businesses under GDPR," INT002-000049 (December 2017)
Marshall Lager, Senior Analyst, Customer Engagement
Enterprise Technology IT, Enterprise Services, Enterprise De...
By Ken Landoline 15 Nov 2019
Designing the customer service platform of the future enterprise will require a comprehensive view of dialogue interactions across internal silos of information and, in many cases, the continuous monitoring of business interactions on a global basis.
Enterprise Services, Enterprise Decision Maker
By Ian Brown 14 Nov 2019
Hyperscale cloud providers are responding to the demand for localized, on-prem processing and data with cloud appliances and software solutions. This research note considers how SIs and MSPs should respond to services that encroach on their turf.
Europe, Middle East & Africa team: +44 7771 980316
Asia-Pacific team: +61 (0)3 960 16700
US team: +1 212-652-5335
Already an Ovum client? Login to the Knowledge Center now