You are at the end of long day; just about to turn in for the night. You just do one last check of your inbox for any signs of a reported security incident. Suddenly you are aghast, the new email count in your inbox registers over 9,000 new emails! You quickly scan to fathom what on earth has happened… All the emails come from the same sender and the subject lines all declare they are SAR (Subject Access Request) requests. Looking closer you note the emails include personal information, describe that “so-and-so” wants to exercise a privacy right and references different privacy laws. Laws you know require you reasonably address privacy requests, with penalties should you fail to address the request in good faith and in a timely manner. While I hope you never experience 9,000 requests in one hit, people seem to be increasingly relying on third parties and apps to facilitate their privacy rights. Indeed, some third-party portals are actively encouraging people to use their services. Once your organisation is identified, you are likely to receive requests from the third party’s entire user base; all delivered to the email address published via your privacy statements.
Let’s explore this trend in more detail and give you a glimpse of how to tackle the SAR-bomb experience.
With the individual’s mindset front and centre, let’s shift attention to some of considerations specific to being SAR-bombed. Time is of the essence and you need a systematic approach to establish whether you will deny, partially or fully comply with the request.
- Get your arms around the situation
- Create a structured dataset
- Include key details within your structured dataset
- A set of questions relevant to developing your strategy
- Create records to demonstrate your reasonable efforts
You’ve been SAR-bombed! by Chris Field on the Data Protection Network