There’s nothing like a data subject access request to force an inter-departmental huddle. For U.S.-based DPOs, the exercise may feel a bit like responding to a litigation discovery request. Access to what personal information is gathered and how it’s used is one of the fair information practices, already obligatory under member state law implementing the EU Data Protection Directive, so for seasoned European privacy professionals there may be only modest adjustments needed to an existing SAR policy to conform to the EU General Data Protection Regulation before the May 25, 2018, deadline. For those tackling these rights anew in preparation for the GDPR, however, it is a conceptual and operational challenge. Still, in this post for DPO Confessional, IAPP DPO Rita Heimes, CIPP/US, CIPM, notes, "the exercise of developing a SAR response protocol has positive side effects, including increased collaboration throughout the organization and a deeper organization-wide appreciation of what privacy fundamentally means."
If you want to comment on this post, you need to login.