CIOs may also be asked to facilitate the process for identifying what "high risk" data processing is carried out by the business. High risk processing includes profiling and systemic large scale monitoring of publicly accessible areas (e.g. CCTV). Once this type of processing is identified, a mechanism should be designed to flag it for a data protection impact assessment (DPIA) before any processing begins. CIOs should ensure that their teams know to check with relevant business leads that a DPIA has been carried out if they are asked to conduct any high risk processing.
CIOs should ensure that they feed into new procedures for dealing with individual requests to ensure that these can be dealt with efficiently. CIOs should identify the number and scale of subject access requests made in previous years, in order to design a process to handle future requests - and note that timing will be tight: subject access requests and individuals' requests to "port" their personal data to another organisation should normally be handled within a month. The procedures also need to cover how a request for erasure will be dealt with - and in what circumstances third parties (e.g. search engines) will be contacted to delete data.
Data security breach response procedures should be updated. The days of voluntary reporting are gone. As a rule of thumb, breaches must be reported to the ICO within 72 hours, unless the breach does not expose individuals to risk.
EU GDPR verdict
GDPR preparation involves a time-consuming review of data processing activities and policies, but is already helping to embed data privacy within business culture. The idea is that one day soon it will become second nature.
Sign up for Computerworld eNewsletters.