GDPR Compliance

The request was successful.

Dear University of Exeter,

I am writing to you to under FOI to establish your state of readiness for GDPR.

To this end I would be grateful if you could supply me with the following information that you may hold in connection with your GDPR compliance program

1. Data Mapping
a. Information on the tools used to capture data for the personal data mapping exercise (e.g. questionnaires/spreadsheets etc.) and a copy of the associated outputs (can be redacted)

b. The process/template for complying with the records of processing activities and data flow maps/diagrams and any other products/outputs of the data mapping exercise.

2. Gap Analysis
a. Copies of any tools used to assess any shortfall or gaps in processing vis a vis GDPR.
b. The gap analysis report and any other products/outputs of the gap analysis exercise.
c. A written description of how the Gap Analysis was completed

3. Project Plan
a. A copy of your GDPR project Plan and Gantt chart or equivalent.
b. Any formal reports (be that to management, your IG steering group and senior GDPR oversight group or equivalent and Committee/Executive) on GDPR.
c. A copy of your Information Governance Structure
d. A copy of your actions log where applicable
4. Outsourcing
a. A copy of an updated GDPR compliant contract issued to data processors or 3rd parties (can be blank) and written instructions for processing .
5. Solutions
a. Details of other potential processing solutions devised or identified either by the organisation or in collaboration with other partners to meet the following controls:
Encryption
Pseudonymisation
Portability
Erasure
Breach Notification within the 72 hour time limit

6. Documentation
a. a copy of your data protection strategy and/or policy
b. a copy of your DPO JD and Person Specification
c. A copy of your accountability framework plan
d. a copy of all procedures or processes relating to the Information Rights of Data Subjects under GDPR. Specifically:
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling.
e. A copy of your fair processing notice
f. A copy of your privacy by design checklist
g. A copy of your information security incident response plan:-
i) as it stands today
ii). any plan that has been devised to deal with mandatory breach notification under the GDPR
If any of this information is already accessible online it would be very helpful if you could supply a hyperlink to the location.

I am anxious to minimise the work involved in responding so please let me know if there are any modifications I can make to the request which will help avoid unnecessary effort or duplication.

Yours faithfully,

Gloria Smythe

Data Protection & Freedom of Information, University of Exeter

Dear Gloria,
Thank you for your Freedom of Information Request. Your reference number is 2017185.
We will issue a response in due course.

Yours Sincerely

Dan Bristow
Information Governance Officer
University of Exeter
Lafrowda House
St Germans Road
Exeter
EX4 6TL
01392 723033

show quoted sections

Data Protection & Freedom of Information, University of Exeter

3 Attachments

Dear Gloria,
Please find attached the University's response to your information request.

Yours Sincerely

Dan Bristow
Information Governance Officer
University of Exeter
Lafrowda House
St Germans Road
Exeter
EX4 6TL
01392 723033

show quoted sections