Strategic Delivery Unit

Strategic Delivery UnitInitiativesGDPR Phase 2

Strategic Vision:

The objective of Phase 2 of the GDPR project is to ensure that the University can demonstrate ongoing compliance with GDPR requirements and have ways of working and processes in place that reduce the risk of reputational and financial damage to the University due to non-compliance or significant data breaches. Work is focused on the following areas:

  • Completion of outstanding activities from phase one of the project including reviewing and updating the Information Asset Register and completion of the supporting action plans.
  • Ensuring staff awareness of their responsibilities and obligations under GDPR, including promotion of the mandatory Information Governance training that all staff need to complete by May 2019.
  • Implementing supporting arrangements resulting in reduced risk to individuals, impact to University reputation and reducing the risk of significant data breaches

Latest Update:

Development of the Data Protection Champion (DPC) role

  • Identification and training of data protection champions across professional service areas to provide advice and guidance on GDPR issues at the local level.
  • Guidance prepared regarding the responsibilities of information asset owners.

Review of Information Asset Registers and Supporting Action Plans

Reviewing and updating of information asset registers and supporting action plans underway, including assessment of possible impact of Brexit on storage of personal data e.g.:

  • Any personal data that is collected about EU citizens who are in the EU (and not the UK).
  • Any personal data that is stored in the US under the EU-US privacy shield.
  • Development of business rules for the management of complex information assets to ensure compliance with GDPR requirements.

Communication and Engagement

  • Promotion of the requirement to complete mandatory information governance (IG) training, the data breach reporting process and top tips for managing data when travelling and working in public places.
  • Targeted communications have gone out from colleges to academic colleagues to encourage IG training uptake and reminders have also been sent to PGRs and students (via social media)
  • Content on the Information Governance website has been reviewed with out of data material removed and links to relevant sites and information updated.
  • A new SharePoint site is in development which will contain specific information for data protection champion and information asset owners.

Researcher Support

  • Provision of template documents and updated data management plans (which now incorporate requirements for data protection impact assessments) via Data Management Plan using DMP Online
  • Provision of GDPR training to ethics committees and research groups.
  • Close working with the Open Research Operational Group to coordinate messaging to academics regarding the management of all research data, including personal data in line with the Research Data Management policy.

Next steps:

  • Communication and engagement:  promotion of Data Protection Champions and mandatory IG training and development of website. 
  • Guidance and information:  IG website and SharePoint site development, publication of updated IT security policies and Information Asset Owner guidance. 
  • Information asset management:  continue review of information asset registers and supporting action plans, develop supporting business rules. 
  • Training and development: Data Protection Impact Assessment (DPIA) training to DPCs, Strategic Delivery Unit staff and Exeter IT Business Partners.

Sponsor: Chris Lindsay, Director of Compliance, Governance and Risk
Project Manager: Tara Studholme- Lyons| x5080