GDPR Champion Network
As part of the Spotlight Series, Emma Mescall contacted a number of the existing Communities of Practice already established here at UCD about how they came together, their function, the objectives and how the changes brough on by Covid affected them.
This profile was provided by Claire McCambridge, Data Breach and Information Officer UCD Legal on behalf of the GDPR Champions CoP
General Background
The General Data Protection Regulation (GDPR) came into force in May 2018.
Data protection and privacy is not designed as a legal or administrative exercise, but rather it is about respecting people’s dignity, their right to make decisions regarding their personal information, and about not putting them at risk through inappropriate data processing.
Data Protection at UCD
It is UCD’s Vision ‘to place privacy at the forefront of every aspect of its personal data processing activities and to be a leading data protection champion in the sector nationally and in all its global endeavours’.
To implement the university’s vision, 3 years to the day after GDPR came into force, UCD launched its GDPR Champion Network. This network is designed to support UCD’s data protection and GDPR operations and to ensure that they are in line with the new ‘UCD Data Privacy Strategy and Action Plan’.
The GDPR Champion Network is made up of approximately 100 representatives from across university schools and units. While ideally, the Office of the DPO (ODPO) would have liked to meet the network as a group in person, due to COVID restrictions all of our sessions to date have been conducted on-line via Zoom. Although it was a pity to miss the one-to-one interaction with colleagues, Zoom has proved a successful forum to address the network’s training needs.
The role of the Privacy and GDPR Champion will no doubt evolve over time and will have different areas of focus depending on a school’s or unit’s need for data protection development or on what is required by law. The role of the GDPR Champion is not to enforce GDPR, but to act as prompts and to advise where to go to if any support is needed. Recognising that each UCD unit is different in size, scope and focus, units that process large volumes of personal data or very sensitive personal data are likely to have a number of individuals to champion privacy, whereas smaller units that only process student and administration data will find one champion is sufficient.
The Key Areas of Focus for Champions are:
- to act as contact point and liaison between the school/unit and the Office of the DPO (ODPO).
- to update school/unit at staff meetings on data protection issues/developments ensuring every school/unit is constantly aware of any changes or requirements necessary.
- to oversee key GDPR activities in the school/unit
Champions will support major data protection matters like:
LOCAL LEVEL GDPR COMPLIANCY: to identify local non privacy compliant matters and habits of the school/unit and help put them right.
BREACH MANAGEMENT: to recognise when a breach has occurred and understand the reporting process. In addition to reporting a breach internally, Champions will need to remind their colleagues that any project or school-based obligations regarding breach management with external third parties or collaborators are fulfilled.
ROPAs: (Record of Processing Activities) to support the school/unit in its development and upkeep of its ROPA.
PRIVACY NOTICES: to spot where a privacy notice may be required and facilitate its development by using resources available to them.
DPIAs: (Data Protection Impact Assessments) to support a new university-level DPIA committee in promoting the concept of risk assessments and overseeing DPIA developments in their unit/school.
GENERIC IT GUIDANCE & ADVICE ON THIRD PARTY TOOLS: to liaise with the ODPO and IT Security in organising any additional training/ workshops that their school/unit might need.
From June to December 2021, a number of Zoom based training sessions, delivered by the ODPO, took place covering the above areas – these were followed by highly interactive Q & A sessions. These sessions provided Champions with a safe space where no question was too insignificant to ask. Coupled with the training sessions, a Google Currents channel was put in place, where Champions can also ask questions/post/share relevant tips/information on all things GDPR related.
The ODPO provided all champions with a ‘GDPR Champions Handbook’ to ensure that they are fully equipped with key knowledge required to perform their role with confidence. The ODPO’s website (www.ucd.ie/gdpr) also provides a wealth of information ensuring advice and support is always at hand.
Going forward, UCD hopes to see the role of the GDPR Champion continue to grow and would love to see more and more members of the UCD community embrace the concept of privacy. While recognising the challenges encountered along the way, as the university establishes new ways of working, UCD hopes to overcome these challenges. It will be up to every member of the University Community to play their part demonstrating that UCD can truly be a learning organisation, an organisation its faculty, staff and students can be proud of.
Conclusion
On one hand the UCD GDPR Champion Network offers its members an excellent opportunity to further develop their knowledge of data protection and to become privacy advocates in their unit or school.
On the other hand, the Network represents a useful resource for all UCD colleagues in schools and units by having a dedicated first port of call and signpost, which makes their engagement with data protection easier and more relevant to their own work environment.