We’ve recently been through what seems like another round of endless audits here at our university. Focusing on user security and role access has made us reflect on the EU GDPR (European Union – General Data Protection Regulation) implemented in 2018 and how this may impact our future approach to the daunting task of security access and role reviews. Being in Australia, GDPR feels a little distant, however given its move towards promoting global governance, it’s a really important issue for us to ensure we’re across.
Understanding all the elements and how they impact an international institution has not been an easy field to navigate, and the issue has not really been prominent in discussions here. Given existing privacy regulations in Australia, part of the issue is identifying the gaps between our compliance obligations, our institution’s desire to protect our students’ information in any case, and the requirements of GDPR.
In researching GDPR and its implications I’ve come across a number of really great resources available in the HEUG communities. From presentations at various Alliance conferences, both in the US and in other regions including EMEA Alliance and Southern African Alliance, through to blogs which have been posted in a number of special interest groups, I’ve found some really useful information available to help us navigate this issue and reflect on how we might ensure we meet and maintain GDPR requirements. We are very fortunate to have this global community in which we can share best practice, seek resources and ask questions of our colleagues that are facing similar challenges on a day to day basis.
We are still in the process of reviewing our obligations against GDPR and ensuring we have all our bases covered, however it’s been a hard task to focus on and accomplish without a project team and dedicated resources. We are also finding difficulties due to the complexity of having numerous systems which collect and use student data. Without a centrally coordinated approach to GDPR review and a whole of institution mandate, how can you truly ensure you have full compliance across all of these areas (often under the responsibility of multiple stakeholders)?
How have others been tackling this? Have GDPR precautions resulted in any changes to your project management and governance practices at all?
Given our audit focus above, I’m also particularly interested in how (if at all) this has impacted on your system security reviews and processes. I’d love to hear from you if you have any tips to share in this area, GDPR related or not!