We spoke to a small selection of the University’s GDPR Working Group to find out how they have approached this complex ruling.
Professor Simon Cox, Chief Information Officer, iSolutions
“I’m the University’s Chief Information Officer and Chair of the GDPR working group. It’s excellent to see the collegiate way in which groups across the University have come together on this initiative to ensure that we continue to look after our precious data appropriately.”
Sara MacDonald, Head of Student Systems and Operations; Assistant Director of Student and Academic Administration
“Within the University we handle and process a lot of personal and sensitive student information. Staff can also download their own data from systems like Banner and WebSIS, store locally and share with other colleagues. To ensure that we are GDPR compliant, we all need to update our daily working practices and procedures. This means making sure that we process data in line with our privacy statement and, for example, that when we share data we share it securely and we delete it when we no longer need it.
“My team will be implementing retention schedules and providing guidelines for staff on how to process and manage data. Our challenge will be ensuring that all staff who handle the data are aware of the guidelines and processes, and comply with them.”
Sarah Howes, Associate Director, Office of Development and Alumni Relations
“With over 225,000 alumni and supporters, we take data privacy very seriously. We want our alumni to know that we hold their data to continue to develop a relationship with them after their studies have finished, such as updating them with University news, keeping them connected with our community and asking them to support our fundraising campaigns. ODAR have adopted new Privacy Notices, which outline what data we hold and why we hold it. Our alumni and supporters will receive that information so that they are informed and can object to any data processing.”
Tom Docherty, Internal Communications Officer, Communications and Marketing
“My role has been to help communicate to staff the impact of GDPR and the importance of safeguarding University data. One of the key things to remember is that GDPR does not stop on 25 May – it really is just the beginning and we need to make GDPR compliance part of everyday life.”
Alison Knight, Senior Legal Adviser; and Frances Teding Van Berkhout, Senior Paralegal, Legal Services team
“The Legal Services team has been working on getting the University ready for the GDPR for nearly a year now. We have helped to develop and review the information asset registers, enabling the University to record the personal information it holds and to assess its compliance with the GDPR.
“We also provide training and advice to staff on what they can do to get ‘GDPR ready’. We have drafted a number of resources, including privacy notices, consents and checklists to support them. The engagement of staff and their willingness to be involved has been fantastic. We are now drafting a University-wide data protection impact assessment template, a records retention schedule and are updating existing policies.”
Kevin Shaw, Head of Information Security, iSolutions
“As Head of Information Security, it’s my job to establish what ‘good practice’ is with regards to the legislative data security requirements of GDPR. I initiated the GDPR Working group to identify the extent of the data held across the University and who has access to it. I’m also engaging with academics and professional services to explain how GDPR will affect them and work towards compliance. I see GDPR as a positive enabler for information security, ensuring that the rights and freedoms of individuals are protected.”
Margaret Eddo, Project Manager, Legal Services
“This project has been a challenging one, requiring some changes in the way we look after personal data at the University. The clear direction given by the GDPR Working Group has facilitated the progress of the project, and, with the University community increasingly aware of its responsibilities regarding personal data, this should ensure ongoing progress towards GDPR compliance.”
Read more about GDPR here.
If you have not already done so, please undertake the University’s introduction to GDPR training course. This course can be accessed here.