skip to main content
Close Icon We use cookies to improve your website experience.  To learn about our use of cookies and how you can manage your cookie settings, please see our Cookie Policy.  By continuing to use the website, you consent to our use of cookies.
Global Search Configuration

Ovum view


The General Data Protection Regulation (GDPR) now being enacted throughout the European Union gives consumers new rights and powers regarding access to and use of their personal data by businesses. While those powers are intended for individuals, they create a unique opportunity for collective action.

A new form of boycott can paralyze noncompliant businesses

Article 15 of the GDPR gives EU citizens the right to demand access to their personal data and a description of how it is being used. Upon request, the data protection officer of the company must provide an overview of the types of data being used, as well as a copy of the actual data, the purposes to which it is being put, who has access to it, and how it was acquired. This must be done within one month of receiving the request. Furthermore, Article 17 provides a right of erasure, meaning citizens can request erasure of all their personal data for a variety of reasons and can ask to never be contacted by that company again, barring a legitimate reason, such as execution of a contract.

On the individual level, these rights and requirements are harmless and work as the GDPR is intended: to provide greater control of privacy and security for EU citizens and their data. However, the legislation does not appear to consider what would happen if a large group of citizens were to coordinate their actions and make their requests at the same time. Subject data access requests cannot be ignored and are not supposed to be unduly delayed once received. The processing of these requests – a nontrivial task – can overwhelm a company's ability to comply, slowing its operations to a crawl in order to process them or subjecting them to significant fines if they fail to comply. In short, if enough people decide to act, they can effectively cripple a company, or at least some of its departments, by performing what is in effect a distributed denial-of-service attack.

Realistically speaking, it is unlikely that such a "consumer strike" will be at all common, as the effort required would probably be reserved for egregiously bad corporate behavior. There are enough cases where normal protests and boycotts have grown beyond a business's ability to tolerate, though, that such a scenario cannot be overlooked. Another consideration is that there does not appear to be any proof required on the part of the citizens that a company is using or accessing their data before they make a disclosure request, so mass actions can quickly grow to immense scope, whether they are based on legitimate complaints or not.


Further reading

GDPR and the Critical Importance of Locating Personal Data, IT0014-003324 (August 2017)

"Fines aren't the only penalty awaiting businesses under GDPR," INT002-000049 (December 2017)


Marshall Lager, Senior Analyst, Customer Engagement

Recommended Articles


Have any questions? Speak to a Specialist

Europe, Middle East & Africa team: +44 7771 980316

Asia-Pacific team: +61 (0)3 960 16700

US team: +1 212-652-5335

Email us at

You can also contact your named/allocated Client Services Executive using their direct dial.
PR enquiries - Email us at

Contact marketing -

Already an Ovum client? Login to the Knowledge Center now