Overview
Background
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC)[2] of 1995. The regulation was adopted on 27 April 2016. It becomes enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable.
Edinburgh University have appointed a Data Protection Officer(DPO) to ensure the standards for compliance, in the electronic sharing of files and secure sign-in, are met within the Legislative timeline of 25th May 2018 are met.
Following the DPO review of the Records Management team procedures and systems, it has been identified that there is a need to implement a technical solution that will enable 'requester's' data to be issued both securely and electronically, in line with GDPR legislation(ICO guidelines are attached within this document(ref:\gdpr electronic sharing of files and secure sign-in).
The current procedure for data provision, is that the University can provide data electronically as an option, however the introduction of the GDPR legislation removes this as an option and dictates that this needs to be electronically and also 'securely'.
Current electronic solution: Adobe Acrobat professional, which 'encrypts' PDFs to 256 AES.
Delivery methods: 1) 'burned' to CD and posted to the 'requestor' via 'special delivery' postal services ; 2) sent to requestor as an attachment via email or 3) paper copies sent via postal services, in compliance with the current legal obligations.
GDPR Compliant Requirements Solution:
1 as a minimum, the law requires that the personal sensitive data is 'encrypted' if it is sent to requesters outside the University.
2 Compulsory to send the data 'electronically'.
Considerations to the technical solution:
1 sharepoint as the preferred solution, in line with the University core systems strategy guidelines.
2 explore other solutions, should SharePoint be deemed to be unsuitable for the business users' requirements and core systems strategy.
As this project is 'legislative', this solution needs to be fully deployed before 25th May 2018, when the GDPR legislation is enforced.
Scope
In scope
- Determine a suitable, simple, solution for provision of secure electronic data to be issued to persons within the University and externally to any requesting person(s) by 25th May 2018.
- Assist with UAT in support to the Records management team adoption of the new solution and functionality.
- Train the trainer, for the key business representative, if required, to use the new functionality.
Out of Scope
- Business processes in the adoption of the new solution and functionality.
- Training for the new technical solution to the Records Management Department.
- Training materials for the Records management Department.
Objectives and Deliverables
| Phase | No | Description |
Priority (MoSCoW) |
Owner |
|---|---|---|---|---|
| O1 | To ensure personal and sensitive data can be issued to the requestor via a secure, encrypted method, in line with GDPR standards and policies. | Sara Cranston | ||
| O1D1 | evaluation of existing encryption facilities with recommendations. | Must | Business Analyst/Development Services/Production Management | |
| O1D2 | Provide a secure method of scanning and uploading encryption tool, if deemed necessary. | Must | Business Analyst/Development Services/Production Management | |
| O2 | To ensure personal and sensitive data can be issued to the requestor in an electronic format. | Sara Cranston | ||
| O2D1 | To provide a SharePoint solution in line with core systems strategy, as a fist step in the analysis. | Must | Business Analyst/Development Services/Production Management | |
| O2D2 | Assess the potential of alternative solutions, should Sharepoint be deemed as not being the best solution. | Must | Business Analyst/Development Services/Production Management | |
| O2D3 | Support Records management team with UAT that will incorporate the new functionality. | Must | Development Services/Production Management | |
| O2D4 | Train the trainer', to the appointed business representative, for the new technical solution, should this be required. | Must | Development Services/Production Managemen |
Benefits
The benefit to this project are:
- Compliance of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
- Edinburgh University registered as a GDPR compliant organisation.
- The Records management team will be able to demonstrate their compliance to the requesting subjects and regulator bodies.
Success Criteria
The following are the success criteria for this project:
- The Records management team can respond to any requester of data, both electronically and securely.
- Recognition from GDPR of University compliance.
Project Milestones
Target Date |
Previous Date | Title | Stage | Complete | |
|---|---|---|---|---|---|
| 12-Jan-2018 | 15-Dec-2017 | Planning complete - Review timescale | Plan | Yes | |
| 31-Jan-2018 | No date available | Requirements Complete | Analyse | No | |
| 23-Feb-2018 | No date available | Design sign-off complete | Design | No | |
| 26-Mar-2018 | No date available | Build signoff review | Build | No | |
| 09-Apr-2018 | No date available | Integration Complete | Integrate | No | |
| 14-May-2018 | No date available | User Acceptance Testing Complete | Accept | No | |
| 21-May-2018 | No date available | Acceptance Milestone Completion | Design | No | |
| 28-May-2018 | No date available | Delivery | Deliver | No | |
| 11-Jun-2018 | No date available | Deployment Sign-off - stage complete | Execute | No | |
| 25-Jun-2018 | No date available | Closure complete | Close | No |