The College engaged ReganStein to assist them towards GDPR compliance across their various schools, departments and administrative units.
The College is facing several challenges when it comes to data protection and working towards compliance. The scale and complexity of the work involved necessitated engaging outside assistance and expertise to guide them on the road towards compliance.
The objectives of the project are:
✔ Provide the DPO and team with niche training and knowledge that has ties to data protection (protected disclosures).
✔ Provide clarity around the legal basis for holding data assets.
✔ Create a process for identifying ‘gaps’ in compliance and producing a remedial plan, plus the creation of Article 30 records (records of processing activities). It is important that this process can be replicated as it allows the College to continue with this necessary work after we have finished our assignment.
✔ Additionally, we are conducting a protected disclosures (whistleblowing) workshop for the DPO and staff to provide them with the knowledge and skills to write appropriate policies and deal with a protected disclosers situation. In addition, our expert legal researcher has conducted comprehensive research into the intricacies of the legal basis for holding personal data by the College. From this research, we have created a ‘Plain English’ guidebook for the College to act as a reference document going forward.
We use the following methodology when working with each College unit:
1. Distribute and collect a data protection survey – this is used as a basis for our discussions and an invaluable tool regarding first sight on GDPR compliance/ awareness levels within the unit.
2. Meeting with Units – we may have to conduct 1-3 meetings with each unit depending on the scale of their data processing/controlling and their level of GDPR compliance maturity. At these meetings we also listen to their concerns and provide advice.
3. Analysis of Data – all the data that was gathered from the survey and the meetings with units is then analysed and a ‘gap analysis’ is performed. This analysis is then converted into prioritised and actionable plans to help the unit work towards greater compliance. We also produce comprehensive Article 30 Records (as far as is practicable), including identification of legal basis for holding data.
4. Feedback – when all the documents are complete, they are then presented back to the unit and the DPO and a full discussion occurs around the action plan and Article 30 records. They are then handed over the unit/DPO for future action.
At the end of the process the following is produced per Unit:
- Data asset capture document including Article 30 processing records
- Legal basis for holding data per data asset
- Data protection gap analysis per unit
- Data protection action plan per unit