The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).  This regulation becomes enforceable from 25 May 2018.

Edinburgh University have appointed a Data Protection Officer(DPO) to ensure the standards for compliance are met within the Legislative timeline of 25th May 2018 are met.  

Following the DPO review of the Records Management team procedures and systems, it has been identified that there is a need to implement changes to the Freedom of Information(FOI) Publication Scheme Database to ensure compliance of GDPR. The element of Project change pertains to the Subject Access Requests for information service.  The current process within the Records Management Team is to "respond to the subject access request via the same channel that the request was received, wherever possible.  Should the response be required electronically, and is large, this is saved and encrypted using Adobe Acrobat professional 256 AES, but otherwise, paper, CDROM and email are the usual routes.  From 25th May, GDPR Legislation prevents any personal data response to be issued by any other means other than electronically with assured security.

Initial analysis has explored SharePoint as a solution to ensure compliance, whilst a strategic University solution is still under review.  Further analysis and alternative solutions will form part of the Project Analysis stage of the Project and proposed to key stakeholders within the Records Management Team, UoE DPO and Information Services Group.

As this Project is legislative, all key project documentation will be updated to ensure that key stakeholders, such as UoE DPO are informed due to the feedback from the relevant compliance programme to the GDPR Regulatory body.

The project will deliver a method for providing information electronically and securely to requestors (including members of the public) making a request to the University, to satisfy the GDPR legislation(Article 15, section 3) "Where the data subject makes the request by electronic means, and, unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form".


In Scope

  • A simple, electronic data sharing provision, with a focus on SharePoint as a solution, that will share large files. 
  • Alternative electronic data transfer solution to be explored and proposed, should SharePoint be deemed insufficient.
  • Confirmation that the existing Adobe Acrobat Professional, standard 256AES will suffice and if not, explore other alternatives.
  • Encryption for internal university requests and external, confirm any differentiation.
  • Some guidance to Record Management team in support of their UAT for each deliverable.
  • Access limitations to be agreed for each request.

Out of Scope

  • Mapping of current K drive documentation to the new solution.

  • Replacement of the FOI Publication scheme Database.

  • Existing operational support activities and service levels remain as the current.
  • Business Process changes and communications, such as requests via paper, email or spreadsheet.

  • existing metadata and retention schedules remain.
  • Basic solution that meets GDPR Legislation will be delivered.
  • Verification procedures remain with existing Business Processes.
  • User Guidance will be provided by the Records Management Team.

Objectives and Deliverables


Phase No Description



  O1 To ensure compliance of GDPR Subject Access Requests within Freedom of Information(FOI) Publication Scheme Database, for the Records management team by providing an electronic solution to enable a response to the Subject. Must Sara Cranston
  D1 Provide an electronic medium to facilitate the Records Management Team response to any Subject that has requested Sensitive personal information. Must Development Services
  D2 Ensure data  is encrypted and secure to meet the GDPR Legislation(Article15, section 3) standards. Must Development Services
  D3 Support Records management team with UAT. Must Development Services/Production management/Business Analyst











Given the number of GDPR related Projects within the Programme Portfolio, we Propose an Agile approach to delivery in order to prevent risk of delays of Records Management Team resource issues, as defined in Project Risk Log, together with any delays in decisions from the CIO or DPO.  This method will allow the IT Development Resources to be allocated and progressed, albeit there may be a need to make some changes to ensure that the GDPR Legislative guidelines are met.



The benefit to this project are:

  • Compliance of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
  • Edinburgh University registered as a GDPR compliant organisation.

Success Criteria

The following are the success criteria for this project:

  • The Records management team can respond to the subject's GDPR Access request via an electronic and secure medium.
  • Subject Access Data can be delivered electronically to subject requestor.
  • Subject Access Data demonstrable encryprion of data.

Project Milestones

Target Datesort descending Previous Date Title Stage Complete  
12-Jan-2018 15-Dec-2017 Planning complete - Review timescale Plan Yes


31-Jan-2018 No date available Requirements Complete Analyse No


23-Feb-2018 No date available Design sign-off complete Design No


26-Mar-2018 No date available Build signoff review Build No


09-Apr-2018 No date available Integration Complete Integrate No


14-May-2018 No date available User Acceptance Testing Complete Accept No


21-May-2018 No date available Acceptance Milestone Completion Design No


28-May-2018 No date available Delivery Deliver No


11-Jun-2018 No date available Deployment Sign-off - stage complete Execute No


25-Jun-2018 No date available Closure complete Close No



Project Risks

Ref Title Initial Risk Current Risk Status Management Approach Risk Owner Date of Last Review  
1  Availability of Applications Division Resources  GREEN  GREEN  Open  Reduce  Morna Findlay 13-Dec-2017


2  HR digitisation Project  GREEN  GREEN  Open  Reduce  Morna Findlay 13-Dec-2017


3  SharePoint as a Strategic Technical Solution may not be viable for  GDPR  AMBER  GREEN  Open  Reduce   Morna Findlay 21-Dec-2017


4 Need for increased Budget  AMBER  GREEN  Open  Reduce  Martin Jones 14-Dec-2017


5 Scope creep  GREEN  GREEN  Open  Reduce  Morna Findlay  


6 Solution may not be GDPR compliant  GREEN  GREEN  Open  Avoid  Renate Gertz  


7 Volumes may not reflect GDPR expectations  GREEN  GREEN  Open  Reduce  Megan   Graham  


8 Scope and scale of the various Types of media is unknown  GREEN  AMBER  Open  Retain  Sara Cranston 19-Dec-2017


9 Solution may not be delivered by 25 May deadline  GREEN  GREEN  Open  Reduce   Megan Graham 21-Dec-2017



Current project status

Report Date RAG Budget Effort Completed Effort to complete
July 2018 BLUE 115.0 days 105.0 days 0.0

Project Info

Electronic Sharing of Responses for GDPR
Student Services (STU)
Management Office
Project Manager
Morna Findlay
Project Sponsor
Sara Cranston
Current Stage
Start Date
Planning Date
Delivery Date
Close Date
Programme Priority
Overall Priority

Project Dashboard

Change dashboard

Nothing to report.