The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). This regulation becomes enforceable from 25 May 2018.
Edinburgh University have appointed a Data Protection Officer(DPO) to ensure the standards for compliance are met within the Legislative timeline of 25th May 2018.
Following the DPO review of the Records Management team procedures and systems, it has been identified that there is a need to implement changes to the Freedom of Information(FOI) Publication Scheme Database to ensure compliance of GDPR. The element of change pertains to the Request Monitor functionality in relation to how this information is requested, logged, monitored, managed and published.
In order to accommodate GDPR Subject(subject can be described as anyone, either internal to the organisation, a previous student or anyone who believes that Edinburgh University have any personal information about them) Access Requests, and GDPR Right to request, correct, erase, object and restrict data requests, then changes will involve the creation of two new request types and the redundancy of two existing request types within the Request Monitor. There is a need to ensure that the current and 'to be' redundant categories run concurrently for a two week period in support of Business needs and from 8th June, that the redundant categories are searchable for auditory and reporting business functions.
As this Project is legislative, all key project documentation will be updated to ensure that key stakeholders, are informed due to the feedback from the relevant compliance programme to the GDPR Regulatory body.
- Introduction of two request type categories for GDPR by 25th May 2018.
- Facility to maintain existing categories and new categories for a two week period during 'cutover' to accommodate 'delayed' requests, until 8th June.
- Redundancy of two of the existing request type categories 8th June 2018.
- 'Search request ONLY 'functionality for the two categories that GDPR will replace, for historical and auditory purposes.
- Some guidance to Record Management team in support of their UAT for each deliverable.
|Requirement||Current Request Types||New Request Types||
25th May to 8th June - Concurrent use of ALL categories
8th June Onwards -
New GDPR Categories and search only of 'redundant' categories
New GDPR request type categories
Concurrent use of ALL categories for 2 weeks
Redundancy of 'old' categories.
Search facility of 'old' categories for reporting.
Out of Scope
Fixing of any known issues.
- Replacement of the FOI Publication scheme Database.
- Update of business Processes and procedures to be completed by Records Management Team.
- UAT to be performed by Record management Team.
Objectives and Deliverables
|O1||To ensure compliance of GDPR Subject Access Requests and 'GDPR right to correct/erase/object/restrict data, within Freedom of Information(FOI) Publication Scheme Database, for the Records management team by 25th May2018.||Must||Sara Cranston|
|O1D1||Add New GDPR Subject access requests type Option, within Freedom of Information(FOI) Publication Scheme Database, allowing for calendar days and working days.||Must||Development Services/Production Management|
|O1D2||Add NEW GDPR functionality request type - GDPR right to correct/erase/object/restrict data, within Freedom of Information(FOI) Publication Scheme Database.||Must||Development Services/Production Management|
|O1D3||To provide the administrative option to control whether the period is calendar or working days.||Development Services/Production Management|
|O1D4||Support Records management team with UAT that will incorporate the new functionality and phases.||Must||Development Services/Production management|
|O2||To ensure pre-GDPR categories can be searched and reported on enable for redundant requests in support of management Reporting and auditory purposes.||Must||Development Services/production Management|
To Provide facility to search and report facility on non GDPR categories.
Given the number of GDPR related Projects within the Programme Portfolio, we Propose an Agile approach, to ensure the key compliance work is Developed well in advance. This will prevent risk of delays from key Project and Development resources within Project Services and of Records Management Team resource issues, as defined in Project Risk Log.
The benefit to this project are:
- Compliance of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
- Edinburgh University registered as a GDPR compliant organisation.
- The Records management team will be able to demonstrate their compliance to the requesting subjects and regulator bodies.
The following are the success criteria for this project:
- The Records management team can respond to the subject's GDPR requests.
- Add New GDPR Subject access requests within Freedom of Information(FOI) Publication Scheme Database, for the Records management team, with option for Business to select option for response times in calendar days or working days.
- All categories can be selected as active or inactive, are searchable and can be reported by the Records management Team.
|Target Date||Previous Date||Title||Stage||Complete|
|19-Jan-2018||No date available||Requirements Sign-off||Analyse||No|
|02-Feb-2018||No date available||Design sign-off Milestone||Execute||No|
|02-Mar-2018||No date available||Build Solution||Build||No|
|16-Mar-2018||No date available||User Acceptance Testing||Accept||No|
|23-Mar-2018||No date available||Integration Complete||Integrate||No|
|02-Apr-2018||No date available||End of Delivery Sign-off Milestone||Deliver||No|
|16-Apr-2018||No date available||End of Project Closure Stage||Close||No|