[fuscy]

This letter is interesting.. and paints a bleak future.

What is stopping someone who wants to make easy money (like me) from going on Fiverr and selling my GDPR request letters?

Example: 5$ for 5 (could be anything) GDPR request letters to any company of your choosing?

This way, a malicious actor can buy thousands of GDPR requests and DDoS anyone but big companies like Google.

The cherry on top is that they have 1 month to comply so after they remove the information, I can simply repeat the process after the time limit. So they will eventually have to implement some kind of banning process which will affect their FTUE/onboarding giving the competition an advantage.

I bet this is the most basic idea that will appear in the blackhat world where they can probably poison the data compliance of various companies so that their services get shuttered.

[majewsky]

> This way, a malicious actor can buy thousands of GDPR requests and DDoS anyone but big companies like Google.

FWIW, request letters like this have been possible in Germany for multiple decades, and I haven't heard of any DDoSing of companies yet. Here's a representative e-mail template whose lineage goes back to 1998:

German: http://www.ulm.ccc.de/old/chaos-seminar/spam/spam-bsdg-auffo...

English: https://translate.google.com/translate?sl=auto&tl=en&js=y&pr...

I have sent similar letters in the past and always received prompt answers.

[CJefferson]

I hope people do send lots of GDPR requests. I plan on doing so myself.

The answer is very simple. You should have a simple automated one-click method of knowing where all data relate to each user is, and an automated way of clearing it all. Job done.

[fuscy]

My "business" idea would probably last until the tech stack catches up. At this moment there is no easy way to handle this request for a simple helpdesk clerk without involving some pricier jobs.

Even with the tech, it still requires a human (for now) to read the request, understand it and process it.

Perhaps the future is AI interpreting the request and doing all the operations automatically or providing the client with a panel that can do all of these without having to contact the company.

[qw]

I guess there is nothing that restricts the amount of information you can send. Why not just document everything and refer to that instead? Is there anything in GDPR that states you need to give a specific answer tailored to the individual customer?

[fuscy]

The easy part is providing the information about how the data is used because it's do once, reuse always. Just refer to a document.

The hard part is the right to be forgotten which requires the company to remove all information that pertains to a person. The tech stack still has to implement some stuff here in order to reduce costs and make it easier.

Having to contact your database administrator because you can't delete something without leaving dangling information all over is bad tech implementation which will probably require a huge rework for some companies.

I wonder how you can send the information to the client. If you use GMail then GMail will also know the personal information (they used to read your emails.. good stuff).

[tooba]

Subject access requests have existed for twenty years in the UK. The Information Commissioner's Office provides free guides on how to request data. Most people aren't aware of their right to do this. Organisations can charge under the current legislation but often don't.

A lot of organisations forget to discuss the scope of a subject access request. If you imagine an employee at an average company, an undefined subject access request can include months or years of pension contributions, internet and email logs, training records, meal choices for their end of year party... if their issue is a recent performance review, the scope will often be email chains or HR documentation relating to that. The incentive for them is that they can often have the data they're interested in a short space of time rather than wait longer for pages of data they've got no need in. If you do this, make sure it's a genuine conversation with them and it's documented as to the scope they agreed.

Remember that right to be forgotten isn't an absolute right especially where you're relying on basis other than consent. If you ask your employer to erase all data about you, they'd have an argument under 17.1.a. to argue that it's necessary to keep that information in order to pay you. Nor can you ask the police or tax office to erase your data.

[MattBearman]

Although this is a risk, it has been somewhat accounted for in GDPR:

(from ico.org.uk - https://ico.org.uk/for-organisations/guide-to-the-general-da...)

"Can I charge a fee for dealing with a subject access request?

You must provide a copy of the information free of charge. However, you can charge a 'reasonable fee' when a request is manifestly unfounded or excessive, particularly if it is repetitive.

You may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that you can charge for all subsequent access requests."

[bennyp101]

The regulation doesn't specify how a Subject Access Request is delivered, they encourage you to send it in writing, but it doesn't have to be.

As a business, you cannot dictate how or where your customers/employees submit a SAR, so you need to be ready to pick up on the fact that it could be asked anywhere.

So it is actually worse, because you need to train all staff up to recognise a SAR in all areas that you communicate with customers.

[piaste]

This idea smells of 'one weird trick lawyers HATE'.

I'd be very surprised if a court saw nothing wrong with spamming otherwise-legal requests nonstop every month, in exchange for monetary payment by a third party to boot. I imagine it could easily fall under harassment, or abuse of the court, or some other misdemeaner with sufficient leeway to interpretation (which it would be totally appropriate to apply).

Also, consider that the fact that they are GDPR requests isn't really germane to your idea. Surely there already exist some kind of requests that a customer can legally submit to a company and which can be individually burdensome to answer - perhaps specific to a particular sector, say banking, medical, or insurance. Yet I am not aware of anybody trying this particular route to cripple their competitors.

Another thing, say that the company being spammed stops responding to those malicious requests. Nothing is gonna happen unless you actually file a complaint against them for not responding, and you probably aren't going to do that for a few dollars, especially when you know you are acting in very far from good faith.