Division of General Counsel, Governance and Compliance

GDPR Project Updates

26 March 2018

Extensive work has been completed with both the DARO team (as alumni is a key area of focus across the sector in relation to GDPR due to the unique relationship with data subjects in an alumni context), as well as with Research colleagues (as there is a large volume of sensitive personal data processed and consent is often relied upon for processing within this area). Tailored workshops have been held or are scheduled for the coming weeks to review and document data processing in these areas and identify any further work needed to ensure compliance. We are also in the process of scheduling targeted GDPR workshops with colleagues in other high-risk and high-priority areas over the next 4-5 weeks.

Additionally, and as part of these workshops, we are beginning to carry out Data Protection Impact Assessments (DPIAs) where required across the University and working to document areas where data sharing occurs to ensure that suitable Data Sharing Agreements (DSAs) are in place that lay out the responsibilities of third party processors with respect to personal data.

DPIAs are a tool to help ensure compliance and under the GDPR must be conducted when a new technology is going to be used, or when data processing is likely to result in a high risk to the rights and freedoms of individuals. DPIAs have been a focus for us from the outset of the GDPR project, as they make clear what data processing is taking place within a given area, project, or task, and allow proactive identification of any issues at start of the process, meaning the work towards mitigating risk and addressing any potential problem areas with regard to compliance can begin straight away. Going forward, these should be an integral part of ‘business as usual’ across the University in relation to new projects, systems, or processes.

As a crucial part of the GDPR project, we are also working to pull together an Information Asset Register (IAR) to document what data is held and to assign responsibility for it within each area. All Heads of Schools and Professional Services Directors have been asked to assist us with identifying Information Asset Owners (IAOs), to act as the person responsible for the data within each area. Once identified, two sessions will be held for IAOs with the aim of starting to compile the IAR and to provide specific training and support to these individuals.

20 April 2018

GDPR Support and Training

The General Data Protection Regulation (GDPR) comes into effect from 25 May 2018, replacing the Data Protection Act 1998.

It brings with it a wider definition of personal data and more strict requirements for how we process data.

What is happening at Sussex?

Information Asset Owners are being appointed to represent all schools and professional services areas. Training is already under way and the Information Asset Owners are helping to identify how and when we use data here at the University so we can ensure correct controls are in place. They will be a great first point of contact so, once we have the complete list, we will let you know.

What do I need to do?

Don’t panic! A range of information sources is being made available in the coming weeks, including a new e-learning course for all staff, which covers everything you need to know.

We will be sharing top tips with you - little things we can all do that will make a difference - so look out for them.

How can I access the e-learning course?

The course is currently being finalised and will then undergo testing before it can be available to all staff. We are aiming for the middle of May - but don't worry, it doesn't have to be completed by 25 May.

Who needs to attend staff training?

Training sessions are being provided for staff who may wish to understand more of the details around the changes and may have specific questions, due to the nature of their work. The details of how and when these sessions will be available will be communicated shortly.

10 May 2018

Countdown to GDPR

Lots of work has been going on since the last month's update, to get the University ready for GDPR on 25 May.

Information Asset Owners

We now have an Information Asset Owners (IAO) in each of the Schools and Professional Services Directorates who are a point of contact for you. Their role is to have an overview of any activities that process personal data in each area, to understand where and when personal data is shared, and to have a broad understanding of data protection issues.

They will be pulling together an Information Asset Register which reflects how personal data is used in each area, and it will then form part of the University’s overall Register. A list of Information Asset Owners is now available, but please bear in mind that some of the group will not have completed their training until Monday 14May.


A new e-learning module will be available for all staff from Monday 21 May, outlining everything that you need to know about data protection. It is important that everyone accesses the e-learning module and completes the course - although it doesn’t have to be completed by 25 May, it’s good practice to make it a priority.

In addition to e-learning, there will be a number of staff training sessions for any staff that would like to have more detail beyond the information covered in the e-Learning. The training will expand on the changes and will be an opportunity to answer specific questions. 

Data Protection Officer

Under the Regulation, the University has to appoint a Data Protection Officer (DPO). The DPO ensures compliance with the GDPR and provides advice on data protection obligations. They also act as a point of contact for individuals and for the Information Commissioner’s Office. The University has appointed Alexandra Elliott, Head of Information Management and Compliance, as the Data Protection Officer.

If you have any queries about the above - or GDPR generally - then please email GDPR@sussex.ac.uk.