Could the Data Subject Access Request (DSAR) become the new Denial of Service attack for businesses?

Data Subject Access Requests (DSAR) will be free under GDPR

Unlike current legislation in the UK (DPA), Data Subject Access requests (DSAR) must be provided free of charge, in most cases. Whilst this is a good thing for data subjects, this could lead to some unintended consequences for data controllers…

DSAR, Data Subject Access Request or Denial of Service Access Request?

Distributed Denial of Service attacks or DDoS strike fear into the heart of anyone responsible for the online presence of a business as they can take businesses offline for hours, days or even weeks. They disrupt an online presence by keeping webservers so busy with network requests that they are unable to serve web pages or Internet resources to legitimate users.

DDoS Attacks

A DDoS Attack typically affects online Internet facing IT systems and can tie up IT resources and back end systems depending on how closely integrated they are, however it would not necessarily affect internal systems such as sales and marketing, HR, IT Service Management, Accounts, Payroll for example.

Denial of Service Access Requests

With the arrival of the GDPR next year, there is now the potential to see a DDoS type situation occurring and that could affect many business areas.

DSAR or Data Subject Access Request in relation to the GDPR could be the new DDoS.

Data Subject Access Request – or more likely Requests, might tie up business resources in much the same way. They could become Denial of Service Access Requests.

Coordinated DSAR’s

With a Denial of Service Access Request – many data subjects, actual or possible, real or fake could, through popular social media or less obvious platforms coordinate to make one or more requests for data that may or may not exist.

Even for a large organisation with robust processes and automated systems for dealing with Data Subject Access Requests, the likely impact of huge numbers of requests coming in all at once or over a prolonged period could be huge, causing excessive workload and staff and systems to deal with the requests.

This phenomenon will not be restricted to large corporations, in fact the smaller an organisation the greater the impact is likely to be as they have less spare capacity to deal with requests.

How many access requests could your business deal with before it starts to impact staff and resources?

To be prepared you could take some simple steps, for example:

Knowing what data you hold
Where that data is
How to get access to it
What can be provided to data subjects
How to log requests

But don’t be fooled, unless your DSAR process is automated or you have very clear processes and procedures then anticipate someone in your organisation potentially spending ever increasing amounts of time dealing with DSAR’s.
In a future post we look at how you might go about mitigating a flurry of requests, real of fake, keep up to date with our blog by subscribe to our RSS feed or follow us on LinkedIn.

Contact us

If you would like to know more about how GDPR Auditing can help your organisation with the GDPR please contact us at or visit our contacts page.

The information provided in this post is for general information only and is not intended to provide legal advice.

© GDPR Auditing 2017.