The GDPR and higher education - a debate by a panel of GDPR experts

This talk is the sixth talk in a series about "The impact of the GDPR in the Higher Education sector".

General Data Protection Regulation (GDPR) is an European Union (EU) regulation intended to strengthen and unify data protection for all individuals within the EU. The enforcement date is 25th May 2018, at which time organisations in non-compliance will face heavy fines.

What will that mean for Higher Education Institutes (HEI) and other public institutions that need to deal with students' and prospects' personal data on a daily basis?

These and other questions were the focus of an event organised by FULL FABRIC, where a series of subject matter experts explain the impacts and the opportunities created by this regulation.

This is the sixth video in a series of six, with Norris Ismail, a global data and privacy specialist from Ernst & Young and Tim Rodgers who is information governance manager from Imperial College, London. Both discuss how universities can prepare for the General Data Protection Regulation.

This video was filmed at FULL FABRIC's conference The Impact of the GDPR in Higher Education. The event was held at Imperial College London on 22 June 2017 as part of London EdTech Week.

Video Transcript

00:04 Female Moderator: We kick off now with a panel on lessons learned from GDPR projects. And so I'd like to welcome Norris Ismail, a global data and privacy specialist from Ernst & Young and Tim Rodgers who is information governance manager from Imperial College, London. As with all the other sessions, you can either ask questions at the end by raising your hand or using Glisser. So first up, you've both been working on GDPR projects for a while. Norris, you have four high-ed clients working through their GDPR process as well as many well-heeled FTSE 100 companies and Tim, you've been involved in change management with local government, and then more recently at Imperial getting your governance and GDPR in order. So today's panel is on lessons learned from GDPR projects. So my first question would be, what are your top tips for our audience today based on your experiences so far and budgets at hand? Don't know who wants to kick off first?

01:05 Tim Rodgers: I will start. We're fortunate at Imperial, in that, we are a fairly cash-rich organization, and yet we haven't spent a penny on GDPR yet. Now, I don't know if that's a good thing or a bad thing. I guess it remains to be seen. But, what we've compensated for is some really strong leadership. So we're very fortunate, in that, the college secretary takes an active interest in this initiative. We have across college information governance governments working group that meets and is kind of giving the strategic direction to the GDPR project. And then we have a more, kind of more operation group from people across college actually. And I was saying just in the preamble to this, the interest that's been shown across college by members of staff has been really interesting and helpful. 

02:00 TR: So then rather than this being seen as some kind of top-down initiative, we're actually being really collaborative with our approach to getting things done. So I guess it's a cliche, but obviously, you know, top-table support for your initiative goes an awful long way and trying to be as, kind of corporate speaking to as many people as possible. I come from... I'm based in IT. I work very closely with my colleagues in league, and you can't be in isolation as far as that's concerned. So really talking to your colleagues, making sure that if you're not in IT that you're friends with people in IT and vice versa if you're trying to reach out to other areas of your college or university as well.

02:41 Norris Ismail: Yeah, when it comes to your budget, it's very, very challenging. I think for the past two years when we help clients, organizations, but the higher education to transform your current prematurity to the new world other than [02:54] ____. The main challenge that they actually ask is... All right, Norris, okay. How... What will be the best practical way to actually have to buy in from the top? Not only from the top but also from the stakeholders that have the influence decision-making in terms of operationalizing GDPR. So, our observations in the market get variety of different models. The first model is the budget, which is being actually championed by IT guys, cyber guys, CIO guys, because these are actually the people who actually really fast track the GDPR program by way of cybersecurity as a backbone. So that this is a first model and it's quite centralized, but again, the complexity when it comes to the work stream within the GDPR program because it depends on the structure of the higher education. Let's say we take example of the Oxbridge. Is very college art, and they also have their central administration. So you need to also deal with different kind of colleges, different kind of stakeholders, and different kind of bodies when it comes to budget.

04:02 NI: So, secondly, we also help to review higher education's GDPR budget. My observation is that it's very ambitious. You want to actually achieve everything before 25th May, 2018 which, in practical terms, okay, is impossible. So, we ask the question... All right we know that you have budgeted based on the work stream within the GDPR, but what would be the quick win that you want to achieve here? It depends on your current level of maturity. It depends on existing budget that you have, or it depends on additional budget that you might want to actually ask from your sponsors. Yeah. So from a two year program we condense it. So we actually told them, "All right, guys. Why don't you focus a one year program for the GDPR budget?" As long as you're very clear which work stream that you want to address in GDPR. 

05:02 NI: Typically, in a higher education environment, it would be PIA, Privacy Impact Assessment, Security Breach Notification, data transfer, upon our DPO, which also requires budget, you need resource to operationalize it and at the same time training education culture and awareness. So they have those quick wins. Okay, within the first year of the budget. And to operationalize it to second year, third year, it requires further review, because you need to actually tell to the board or tell to the steering committee or whoever who sits in the steering committee, "Oh, we have limited constraint because we didn't have 100% dedicated PMO rule helping us to operationalize GDPR program." And a third model, that we have seen at the market, particular from the higher education is outsourced. Everything you outsource. All right, because, okay we know we have limited budget, and the person who's actually championing DPO is also doing other things. Multi-tasker. Chief of multi-task officer. Right. Okay. 

06:06 NI: In addition to teaching, researching. You also did DPO. In addition to admin work, you also did DPO. And at the same time, you have to deal with third parties. Third parties request from third party auditor who wants to audit your privacy issuance program. So this is where most high education institutions are very struggling with. So they actually opted a more practical approach, a short term budget, resource [06:34] ____. They ask consultants, they ask lawyers to fill in the role and then to actually try to come up with a more short term, between six to nine months, kind of budget and address the critical areas that require attention to operationalized GDPR. So I would say those are the models that we are seeing when it comes to budget.

06:56 FM: I think that's quite interesting 'cause I know when we talked on the phone I think you had, between you both, slightly different perspectives on the allocation of the DPO role. So I think, Norris, your thoughts and to the audience were... If you're thinking of allocating that person, there may be some time lag involved because of the responsibility of the role and whether people would want it, whereas, I think Tim, you were slightly more optimistic about the opportunity of your coming from an IT perspective. So would you like to speak to us a little bit?

07:28 TR: I think so. In very so we have... I wouldn't say haven't spent any money. We have got people to do this stuff. So we have a project coordinator who's basically tying together our response to the 12 steps that the ICO puts out. We have people like me, from an IT perspective, trying to operationalize some of the procedures into some of those technical systems. Embedding the PIA into the project management process, for example. What I would like to see in Imperial is the creation of a specific DPO role sitting kind of... Almost a dotted line to the CIO and further dotted line to the SIRO, the Senior Information Risk Owner. And to have that genuine helicopter view of what the organization is doing, and then being able to advise on good data protection practice, therein. We've identified budget down the line in Imperial and I'm optimistic that that is the post that will be created. I'm kind of lobbying hard. And, who knows, I may even apply for it myself.

[laughter]

08:38 NI: Alright, so just to link back what Tim has just said. In a market, there has a shortage of 75,000 DPOs. It's actually a recent statistic by the International Association Privacy Professional. Why I'm saying this in the context of HE. I'm not surprised. It's so difficult, actually, to find, to us, somebody to fit in the role because, hey I already have my day to day job. Why should I be a DPO? That would be the reluctance. Another response, another feedback from some of the guys that we interviewed during the walkthrough business process through the HE's, they say well, we're not sure because this is a support service, a more... Doing a lot of teaching here, researching here. Even though privacy and data protection [09:22] ____. I don't think I can really operationalize it. It's actually not by choice. It's by force. So interestingly, if you look at the GDPR, the rational and the principle of GDPR is about accountability and governance. And that has been repeated many times by the ICO. Elizabeth Dernam, the current commissioner. But our experience in the HE environment is that it's very quite siloed. The reason why I'm saying this is because of two reasons.

09:55 NI: The first reason is it depends on the structure, how exactly they put the role of DPO within the structure and our observation in this structure is that most of the DPOs are like typical managers, day to day managers, instead of a DPO who has that kind of level of independence. Alright. Having the reporting structure directly to the audit committee, or to the oversight committee. And as well as dotted responsibility to the general council, head of legal and to the CEO. Because it's what exactly the GDPR would like to see. And if we compare and contrast the UK and the US kind of higher education environment, the US has a more dynamic approach. They know that even though they have nothing to do with GDPR, but they have privacy officers in the universities, and this privacy officers are in charge to actually really, really champion and lead and manage the data privacy program.

11:03 NI: So another bit which is important on a DPO role is that there is also a high need to upskill the existing skill set of the DPO. Because when we look into the background of the resources who'd fill in the role of the DPO. Their background varies from IT, compliance, legal, HR, marketing and sometimes has nothing to do with compliance as well. So one of the suggestions that we have told the stakeholders is that you should actually upskill yourself and go to any kind of certification program. For example the IAPP certification program, which is relevant for the DPO which called as CIPM certified information privacy manager for the governance site or CIPPE, which is for the GDPR [12:01] ____ site. So that they can really, really fast track some of their learning process, was operationalized day to day job as a DPO. Again, in HE environment, I was quite surprised to see a DPO who reports directly to the chancellor or to the vice chancellor, or to the board, unless there's a push by the top.

12:21 FM: Well, it's really interesting because I mean we spoke about the importance of having that direct line of communication to the senior leadership team, but you just mentioned certificates there but I know [12:31] ____ spoke about the so power of networks and actually using those existing networks of equivalent pays to improve your knowledge as well.

12:40 TR: Yeah. And so I couldn't let this opportunity pass, a bit of self-promotion. So I run a group for London called IGFHE [12:48] ____ for Higher Education. And so, people like me who sit around become some kind of GDPRs self help group, where we all sit around crying about how much we have to do. But actually, there's some really positive exchanges that occur in terms of how to swap policies, templates, ideas. And I guess a problem shared is a problem either halved or doubled, depends on your views.

[laughter]

13:14 TR: That works under the basis, of course through JISC, I just see many of you connecting with JISC, there is also the HEFEIC group which is Higher Education [13:24] ____ Education Information Compliance group. They meet fairly regular and usually these are day-long meetings. So we're able to get some really good guest speakers in, to kind of talk to us about those big issues. Those of you who are based in London, on the 10th of July, there is an IG [13:40] ____ meeting over at [13:42] ____ and FieldFisher are coming to talk to us, a very well renowned legal practice, probably not as good as Ernst & Young of course. [chuckle] But we get together, we talk about some big issues and like I say, we're able to kind of collaborate.

13:57 TR: UCISA, doing some really good stuff in this area, they developed a privacy impact assessment template, which is really worth looking at if you haven't seen that already. So for those of you that are looking at us and thinking "one person operation," there is enough support, hopefully enough support out there. To kind of ease your burden, and just talk tactics and strategies and things like that.

14:19 NI: I think what Tim said is very, very spot on. In fact, when we have this conversation with our stakeholders who are the DPOs, they ask this question "Norris, what [14:30] ____?" "What's a benchmark?" Okay. This is actually quite typical because he just want to know whether what they are doing are correct and on the right track. So, those questions are valid. Importantly, once you actually have the network it's also actually important for these guys, the DPOS to have the engagement with the ICO, the regulator as well. Because on the one hand, you have the network of DPO and a network [15:06] ____ security specialist, and this network should actually raise some of the concerns that require clarity, within the context of HE environment. Right.

15:16 NI: Other industry sectors have done this. It's very much like informal kind of consultation with the regulator, with a [15:24] ____ in a team because they really want to actually give certain reassurance not actually in black and white, but just to ensure that alright, they are comfortable with the steps they have taken while operationalizing the GDPR work streams. Another important point, which is so important is that you should not restrict the network within the UK. If let's say you are a very global institution, you should also extend a network in Asia in the US, because there are certain areas of exemptions and areas of provisions in the local laws that might be different vis-a-vis the GDPR.

16:01 NI: So we have a client in which they are quite global, they have a branch in Singapore, in Hong Kong, and then they are transferring a lot of EU data sets across those jurisdictions. And what we learned is that those countries, some of the provisions are stricter as compared to the EU requirements. So meaning, because of those provisions, the level of compliance is higher. They have demonstrated the level of compliance. And because of the fact that the compliance officer is in charge with that and there's no need for it to have a DPO, so it's fine.

16:36 NI: However, if we look into Singapore, for example, in a Singapore act it says, you must appoint a DPO as a statutory data protection officer. Similar in GDPR. So let's say if you guys, in the future or in your existing data transfer environment, you transfer any kind of EU datasets whether the researchers or professors, or students, or in fact vendors who are involved with the non-EU entities, you have to consider this as well. So this is why the network of DPO should be expanded, not just in the UK, but global as well.

17:09 TR: Just one thing just to come back on. Quite right thinking about other groups, NADPO are doing really good stuff. IRMS are doing some good stuff as well. There are enough bodies out there. There's also of course... Obviously we're at one today, aren't we. Supplier's events. Quite frankly, you could spend your entire working life at GDPR events at the moment and not do anything [laughter] to advance the regulation, which I guess is a good thing, or perhaps not... Trying to pick those out. Today's been great because it's being focused on higher education.

17:44 FM: Okay, so on that note, then let's focus on the higher education and I'm gonna lean on some really well established stereotypes, to ask this next question. So you've got your DPO in place and they're really keen, but there's that one rogue academic that just doesn't think GDPR is top of their priority list. Sorry if there are any academics in the room. How do you negotiate this situation?

18:07 TR: This is like an interview. [laughter] Like I said, we're fortunate, in that, we've got the ear of the college secretary. Before the information audit, before we were asking questions specifically around personal data on this we were embarking on creating an information asset register anyway. So we had the directive from the college secretary to go out and find what's out there. We have an issue at Imperial, and I think I can say this in polite company, where we have a huge shadow IT situation. We spend just as much on shadow IT as we do on IT in the light, if that's the term, because people can go off and they can do things themselves, they have that independence, they've got the external funding, they can do effectively what they want. To try and get that visibility is really, really difficult but, like I said with the college secretary kind of on our shoulders we can actually go and hopefully shine a light in areas that have hitherto been in the dark.

19:06 TR: Think the other thing... Again, speaking to someone beforehand, is that the threat of academics or researchers taking their funding and running to a less strict information governance regime seems to be quite fanciful because in theory, we should all be doing the same thing wherever we are. So I don't think that... And finally, you're working for a world-class organisation, the last thing you want is for that reputation to be sullied, and for you to produce a fantastic piece of research or to become known in your field, and yet be linked. We don't wanna become the talk of higher education, and I'm sure no one else in this rooms does, in terms of that reputational hit, in terms of the potential hits to funding streams. So I think there is this collective good, and hopefully, academics and researchers buy into that, is that a failure by them takes us all down with them and we certainly don't wanna be in that position.

20:07 FM: Do you agree, Norris?

20:07 NI: Yeah, I think I totally agree with Tim said. I think I just want to add two points. The first point is, going back to when we walked through the process within the HE environment, we actually asked this very simple question. Have you guys done any GDPR awareness at the BOT level? So let's say I ask you guys in the room, have you guys done that? Yes. Great, what about at the... Okay, I see two hands here. [laughter] So, the next question is, okay, if you guys have done that, what's the impact, what's the after the fact, the training. This is where it starts, because when we actually look into the training awareness culture, DNE, within the HE, there are still a lot of things to be done, it requires transformation, it's a change, because GDPR is a transformation program by itself.

21:02 NI: One of the arguments by the stakeholders that we interviewed is that they said, "Oh, we have other stuff to do, we don't have enough time, we are not sure whether, okay this is actually something that we can really champion, we can lead at that level." So these are quite typical kind of constraints, but having said that, it's important for the governors or the chancellors at the BOT level, or the collegiate level, and those are involved with any compliance controls and governance, to actually put this education awareness training and culture as an underpinning behind it before you have to buy in. There's another point which is very important, more creative way to do it, we actually suggested to the client to do an ethical hacking to one of the professors, [laughter] yeah, for the researchers.

21:57 FM: That sounds fun.

21:57 NI: Yeah, how exactly do academics respond to that? And then ensure that this has to be escalated at the governance level, at BOT level, or the steering committee level, and they did it. [laughter] They came back to us and said, "Hey, Norris, we have done that." "Okay, what's the news?" And they said, "Oh, it's a big hoo-hah and they really want to ensure how they need to respond to that." And they link it to the GDPR as part and parcel of the exercise. We can have that kind of simulation scenario kind of approach. If you think having the internal buy in is very challenging, you do it a different way, and then you link that story, make that as a storyboard, to tell to the governors and to the steering committee and everyone involved, "Hey, guys, we have to do something, because it's a lack of control, lack of governance." "Okay, please, actually beef up."

22:51 FM: Okay. One final question from me, and then I'm gonna go to Glisser or questions in the audience. Universities are at a turning point in their evolution, student and employer demand is such that innovation is a selling point for university with initiatives like JISK's Learner Journey Analytics, administrative AI assistants, and more international online and satellite offerings, which will allow cross-border data, which you alluded to. Will GDPR slow down HE at a time when it is threatening to speed up?

23:23 TR: [chuckle] I don't think so. I think... I've been in governance going 18 years now, and we've always been seen as being the barriers and the obstacles, but actually, you get things right first time, you don't need to do that rework and that reinvention. I've been present a number of times where someone comes to you the day before something goes live and says, "Tim, is this all right?" And of course the look on their faces when you say no, it's not, is quite something to behold, really. So we've managed to embed things like the DPIA into the project management process, into the service transition process. Asking the right questions at the right times, so it was an awful lot of problems kinda going forward. So I don't think so, I don't think it will accelerate it, but I think asking some very simple questions, at an appropriate time, means that we can continue to build and flourish and develop.

24:18 NI: Yeah, I think in a HE environment from the Ernst & Young perspective, what we've seen is that there is a will, there is an intention, there is a plan. But most, or often rather, is actually how to do it, who are the people who is going to do it, and then who is actually going to audit your current GDPR work stream or program? So in this day and age, there's no such thing as internet of things, now there's a new kind of word which is called as internet of everything. Everything is so interconnected, device, or perhaps this glass, or bottle, we're interconnected. Everyone can just access personal data, and HE has to cope with the intelligent advancement. So it's important to draw a very convincing and defensible storyboard, and tell, "Okay, we know that we have challenges when it comes to budget, we know we have challenges when it comes to prioritizing the GDPR work stream. We know we have challenges when it comes to audit, what we have done, whether what we have done is correct, whether if it's not correct, what are the gaps, what has to improve?"

25:30 NI: So take one step at a time, and importantly, it's good to be realistic rather than over ambitious. But what we have seen in reality on paper, it looks like wow, a perfect end-to-end GDPR program. As if that the DPO is like consultant, like us. [chuckle] So it's like, okay, so when we validate it, and we deep dived the work stream, then we could see that, "Hey, there's something missing there." Because you want to actually, just, to list everything, as what the team say PIA, data transfer, and also training, privacy by design, then we have the more complicated stuff like data inventory, data mapping. How you're going to do the data mapping in this context. So again, you take one step at a time, and to accelerate it, okay, yes. The word accelerate might be doable, it depends on the context, it depends on the buy-in, it depends on the budget, it depends on the timeline. And it's important to validate what exactly that you have done is consistent with the requirement within the GDPR work stream.

26:40 FM: Okay, we got our first question in here. So are unis as worried about the potential damages to their reputation as they are the fines?

26:51 TR: I would say, the problem for higher education is, no one's being done yet, have we? We've got two undertakings as far as the ICO is concerned. We haven't got a monetary penalty. There is a suggestion, there is a college in our midst that might be in trouble in that regard, but we don't want to dwell on that. [laughter] But this is it. We need to make this real for people, and actually it's been quite helpful to look at some of the instance today in the sessions we have at HEFE. I say we look back at the fines and the instance that occurred in the last kind of few months up to the meeting, just to see what lessons we can learn. It's a very evolving process, and it's really frustrating when the same issues come back round again. The example of someone selling office furniture with files stuck in it, a council was done for that about... A government department's done for that about three years ago. And then lo and behold the local authority does the same thing six months ago.

27:51 TR: So we need to make sure that we learn from the mistakes of others. It's much cheaper to do it that way, than to have the fine yourself. In terms of the impact, I think... I was kinda saying in terms of the academics. Reputation is everything, certainly if it was [28:09] ____, with the greatest respect to everyone else here, that you don't want to be suffering that potential dent on reputation. Because it has a number of untold consequences, and we talked about the example of tall talk, and the declining revenues, decline of share price, etcetera. For higher education institutions, it's measured in different ways, but I would imagine it would still be a great hit. I'm guessing, because like I say, we haven't been done yet, and long may that continue. But I think reputation and fine expense, probably about 50-50 in terms of their importance. 

28:47 NI: I think from the perspective of reputation, I would just like to share with all of you after an incident happened. So most organizations, whether HE or non-HE, they overlook to analyze the impact of the behavior of a person who actually encountered the breach. Because there were common in a response all about crisis management, alright, you have the people who's going to conduct the risk analysis, how the breach happened, why it happened, when it happened, and then to what extent that they need to do some forensic analysis across the system applications, which actually might trigger the breach. However, in terms of psychometric assessment... Okay, I'm going to be more like a researcher now. [chuckle] So what does it mean, is that you need to actually have a one-to-one discussion, one-to-one observation with the person who actually so called triggered the breach. And some universities in the US, this is where we like to do benchmarking. The chief privacy officers have actually done incident management behavioral analysis.

30:00 NI: They actually have a statistic. The incident, what kind of incident management, incident that happened within a month, and the impact after the incident, and what does it mean to the brand of the university? Because the university is very much focused to the brand, and they want to ensure that there is a loyalty and trust towards the brand. This one aspect, you look at it. But another aspect which is quite important is that incident management and plus [30:32] ____ notification, it actually links to other areas within GDPR as well. It's quite interdependent to one to another, the loss of elements of dependencies within the GDPR environment. So it depends again to the leadership of the university, if, let's say we take example Imperial definitely is a world class institution, very global brand, right?

[laughter]

31:01 NI: Yeah, it's very respectable in Harvard, in Princeton, Yale, when you say Imperial, wow, very prestigious. So if this is something that the university wants to position, then you have to actually replicate it to the wider stakeholders that involve to the internal business process of the university. When I say business process, the IT guys, the HR guys, the compliance guy, the third party, vendors guy, procurement guys, special project guys, R&D guys, and stakeholders were involved with the day-to-day data processing activities. 

31:35 TR: And the supply chain.

31:36 NI: Yeah, supply chain.

31:36 TR: It brought down the line.

31:38 NI: Yeah, down the line. Yeah.

31:41 TR: Just very briefly on the security incident side. And again, we're not wishing to plug other people's events. SASIG are having an event on Monday which is communications in a crisis. What do you need to do in the event of a data breach in terms of how you talk to your affected customers, how you talk to the media, other stakeholders as well. And one of the lessons that we learned fairly early doors, with the HEFEIC meetings, was having stuff ready, heaving a real, in case of emergency smash the glass, you've got policies, procedures, but also things like templated letters, if you need to set up a help line to talk to your students. Think about when that needs to operate, really get everything in place as a kind of in case of emergency scenario, but use this horrible phrase "muscle memory." So the idea that actually in the event of a breach, you know exactly what you're doing and it's almost kind of seamless, in terms of maybe a little rehearsal will save you an awful lot of angst should the worst happen. I'm sure it won't, but just in case, having those things really well rehearsed. 

32:37 FM: Okay, a few final questions. So this one's for you, Norris. When you consult clients about GDPR, what's the first sign of compliance that you look at?

[chuckle]

32:47 FM: What's the priority I suppose?

32:51 NI: Well, we obviously look into the business process as a start. The main areas, definitely IT, HR, compliance, third party vendors, the procurement, the supply side, and to an extent if the university, or the HE has digital strategy agenda to actually ensure that they are transforming some of the business process in a new digital environment. So when we walk through the business process with the stakeholders, what we realize is that the definition of personal data is not consistent throughout within the stakeholders itself. And they do not actually have the clearer understanding about the relationship between data controller and data processor. So we have to actually explain to them, "Go back to basic. Go back to law school. [chuckle] This is processor, this is controller, and it depends on a context." Then another area which is so important, is the supply chain side, the vendor side, because HE deals with a lot of vendors out there, and they are processors. And from the procurement perspective, we also have the procurement guys.

34:01 NI: If you actually renew a contract, the vendor's contract, or you want to actually negotiate some of the terms in the contract within the vendors, have you actually asked a question, "Are you GDPR ready?" Just a very simple question. "If you are GDPR ready, show us evidence, a little bit of high level kind of initiative that you have done." We actually asked our HEs to ask the vendors, ask these three questions in order to determine or ascertain that they are actually on track. First, do they have a PIA, privacy impact assessment. If they have PIA, okay, let us know whether this PIA is a living document. Who actually owns the PIA? There's a misconception that PIA is owned by DPO. No. PIA should be actually led by the owner of the business process, the IT, the HR, the procurement, the third party vendors, special project. And at the same time, this PIA is a living document.

35:01 NI: Is it just like a spreadsheet where you just fill it in and then you don't do anything about it? Have you communicated the outcome to PIA? So this one. Another [35:09] ____ we also ask HEs to ask the vendors, is that, alright, have you actually have a structure with regards to a contemplating governance, who's responsible for this? Have you actually embedded consent in your existing contract and operationalize the opt-in and opt-out as well in your contract, whenever you deal with all of these requirements here? And third, in the context of HE environment, you are dealing with students' personal data, you are dealing with students' sensitive personal data in which some of this personal data also linked to insurance or perhaps hospitals. So this is actually also an area that you need to ask, whether the students know exactly how they need to manage their data. It's not actually the controller, you need to have the obligation to tell the students, in fact, during their semester intake for the students and for the employees, the onboarding stage.

36:06 NI: Okay, why is this so important? So, those are actually the areas that we'll typically ask during the walkthrough exercise, and we've seen a mix of responses. Even some of them are not aware of the impact of transferring, EU Dataset to countries which do not have any data protection legislation. So from the risk base perspective, from the control and governance perspective, this was your finding. So this is how we actually approach it.

36:36 FM: Okay, then just one final one. I'll throw this to you Tim, what has been the biggest mistake that you've seen companies or organizations do in relation to data privacy?

36:47 TR: Oh Lord. [laughter]

36:48 FM: So many to choose from.

36:51 TR: I think... My background is local government, and if ever there's an industry that's made mistakes, it will be that. I think it's just not taking it seriously. I mean, it seems cliche to answer, but just not having that high level leadership, not having training, appointing an [37:13] ____ officer, but a level that's too low to change and have an impact on the rest of the organization. I honestly can't think of one specific no-no, but I think the beauty about GDPR, if it could be seen to be attractive at the moment, is that actually this is gonna get an awful lot of things right for us, it's gonna improve our governance, it's gonna improve, obviously, the way we handle data, but actually it's gonna make sure that a lot of people are facing the same way. One of the best things that we're finding with the roll out of our information audit is we're now putting in a place a system of information asset owners who are living and breathing... They're responsible for their areas of work and their staff and students, but always regarded the information as being IT's problem. Well, no, they need to actually own that and lead that. I guess a culture where information isn't being taken seriously is the biggest no-no as far as privacy is concerned.

38:09 FM: Okay, so we've come to the end, so final takeaways for the audience. So, if you have any books, resources, people to follow on Twitter, events... [laughter] Or just top tips to leave people with to mull over.

38:24 TR: The Twittersphere is a fantastic source of assistance and, also, a certain amount of comedy in there, from practitioners. So, there is a group of information professionals and you can find me... I'm on there as @InfoPup. [chuckle] So, but then you've got @RMgirl, you've got @infogeeklady, you've got @FOIKid, there are a number of people, all of whom have superhero names for some obscure reason, but they're all talking about GDPR stuff and they're all really interesting people to follow, occasionally they will start talking about gin and whatever. But they're very good. So, when the DP bill got announced yesterday, huge reactions straightaway, John Baines, the chair of NADPO, he's on Twitter, really good guy to follow. And they do come up with some really interesting insights and then can signpost you. And they're also really open if you ask them questions about things as well. Twitter, you can spend your time being shocked by Katie Hopkins or whatever, but actually it's a really useful place to find some good stuff about regulation.

39:37 NI: So I would say that anyone who is a member of International Association of Privacy Professionals, IAPP, I would highly recommend you to be a member. I think there is a special price for HE. Correct me if I'm wrong, please do not quote me, but you need to double-check that. The reason why I'm saying IAPP is because it has a quite global membership ranging from universities, private organizations, large multi-national organizations like Fortune 500 companies, and they have special blocks. Special blocks which cater for certain dedicated privacy professionals in which they actually share the lessons learnt in the GDPR implementation program, and some of the lessons learnt might be very useful for you to contextualize within the HE Environment. For example PIA, on IAPP website, there's also a free PIA document, go to the website, it's actually, I'm doing some marketing here... [laughter]

40:36 NI: Because I'm also a member of the IAPP Advisory Board Member for Asia. On the website, it has this F point IAPP PIA document. If you download the document, it's very useful, very practical. It outlines what will be the key items you need to look at when it comes to PIA. It's actually a good start. One of the things that IAPP has also done is they also benchmark GDPR, vis a vis, the technical standards. GDPR vis-a-vis are the local laws. What exactly that you guys need to consider, to observe, and to look into when you want to deal with any kind of data transfer, from the UK to the rest of the world, from UK to the US, for example. And IAPP also has this so called DPO blog. Data protection officer blog. So most of the DPOs are coming from a variety of sectors, from education sector, from Telco sector, financial services, the more mature sector and those industrial products where there are a lot of things that you can learn from the blog. I mean there are lots of very very good stuff, actually materials, but just a matter of time, where exactly you need to digest it, yeah...

41:55 TR: We talk about supplies, and again, if you spend your life reading GDPR-related stuff, again, you would never get anything done. [chuckle] Just very briefly, SASIG, Security Awareness Special Interest Group, really good. Lots of free events that they do. IT governance do a lot of free webinars, also you got ICA, you got ActNow in terms of blogs there. I could come up with a load of various bits and pieces. Turn up to one of my meetings. IGFHE, or the HEFEIC one. Mailing list on JISC. There is so much out there to help you and guide you. There's a lot of noise, trying to pick through it can be quite difficult. But actually there's a load of things that can use to your benefit to make your project work much easier.

42:34 FM: Okay, so that brings us to the end of that panel. Can we thank Norris and Tim please, everyone?