University CIO: 'If I had a pound for every time I heard a piece of software can make you GDPR compliant…'
Heidi Fraser-Krauss, Director of Information Services & Acting Academic Registrar at the University of York, describes her organisation's journey towards GDPR compliance
The University of York is working towards being GDPR compliant, but Heidi Fraser-Krauss, Director of Information Services & Acting Academic Registrar at the organisation, is dubious about some vendors' claims.
"If I had a pound for every time I heard a piece of software can make you GDPR compliant," she began, implying that she'd be very rich in that scenario.
The EU's General Data Protection Regulation will come into force throughout the EU on 25th May 2018. Computing has put together a list of resources to help businesses prepare.
"We're approaching it in a risk-based way," continued Fraser-Krauss. "We're working through as a project. "It's a tough one, and there are lots of different questions. Anybody who says it's easy doesn't fully understand it."
She explained that the University has a plan in place, but is unlikely to be fully compliant by the time the legislation comes into force on 25th May, despite "trying valiantly".
"We have a plan to get there, but won't be fully there by May, but we're trying valiantly. We're looking at our biggest risks first. We have a project group for GDPR compliance that I chair, and we've had excellent engagement across the organisation, they understand the need to do something, and we're taking it seriously.
"We're thinking about universities as organisations, but they're not like someone trying to sell you something, like marketers are. The most challenging questions have been from researchers. You're going to do research in a classroom looking at how pupils are taught, how do you get their consent, how long can you keep their data for, what happens if want to opt out of something you've participated in? Some of these things they're working out as they go along.
"There will have to be exceptions. Let's say you're looking at immunisation rates, you have to have kept data over a long period of time. There'll be personal data you need to keep to so you can have comparisons over time."
Heidi Fraser-Krauss won the CIO of the Year award at the Women in IT Excellence Awards 2017.