This editorial was originally published on Mar 28, 2018. It is being re-published as Steve is at DataGrillen.
I'm not sure if this imaginary GDPR letter is a nightmare, but I do know that in most of the organizations where I've worked, this type of request would result in a crash project for me. I'd be working long hours, contacting lots of people and trying to manage a complex spreadsheet of information about an individual. I'd like to think that I'd compile this information in a general sense to understand our data better and anticipate future requests, building a process that I could repeat, but I know that under pressure that might not always happen. I'm sure I'd grab some data without capturing and saving the metadata or query. I'd probably have to perform duplicate work when the next request came in.
GDPR enforcement begins in a couple months, and organizations receiving this type of letter will have 30 days to respond. Companies can also charge a reasonable fee based on administrative costs for information requested. The fee that's reasonable for getting a few of these letters a month might not be sufficient if hundreds or thousands of individuals start requesting this information, and I'm sure companies and authorities will be arguing about the rates.
With the focus on privacy in the media, and the mishandling of data regularly by companies, I wouldn't be surprised if there are going to be large numbers of requests by individuals. In fact, I'm wouldn't be surprised if there are scripts or applications being built now to facilitate the ability for lots of individuals to ask for this information from companies about their data processing.
Really all of this information should be documented and any decisions made about securing sensitive data should always be followed. Any organization should know how they handle data, where it's stored, and how it's secured. This is just practical and good administrative practice. The items about how data is processed and used are good business knowledge points. After all, should we be processing data without some justification for the resources involved? I think too often a company decides to implement some process without evaluating if it makes sense in the context of their mission. If it does, we should know why it does and be able to measure that. If it doesn't, we ought to stop.
If you do business in the EU or with EU citizens, you might wish to start ensuring you have a way to export the information requested in this letter. Being prepared for some of these items might make it much easier to respond to any or all of these requests.
Whether you think this might happen to your organization or not, you might want to just save a copy of this letter. I know I will, with the idea that I might send this off to companies that store my data. Knowledge can help me protect myself by being aware of what's being done with information related to me. If there are issues, having this information might help ensure my rights are protected. I'll also be sure that I have a form letter to ask for removal of information. I've felt this wasn't possible in the past, but at least in the EU, where I regularly travel, I can exert some control over my data.