Please read our student and staff community guidance on COVID-19
Skip to main content Skip to navigation

Data Protection Officer (DPO)

The position of the Data Protection Officer (DPO)

  • The DPO role is an independent role required by legislation. The position of the DPO includes:
    • To inform and advise the University on its obligations to comply with the GDPR and other data protection laws.
    • To monitor compliance with the GDPR and other data protection laws, and with data protection polices, including managing internal data protection activities; raising awareness of data protection issues, training and conduct data protection audits.
    • To advise on, and to monitor, data protection impact assessments.
    • To cooperate with the supervisory authority on issues relating to processing, including the prior consultation, and to consult, where appropriate, with regard to any other matter.
    • To be the legal point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc.).
    • It is the University‚Äôs responsibility to ensure that the DPO does not receive any instructions regarding the exercise of their tasks, works with autonomy and independence and reports directly into the highest level of management.
    • The University shall support the DPO in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
    • The University must ensure that the DPO is involved, closely and in a timely manner, in all data protection matters.
    • To oversee and maintain a granular and comprehensive register of the University's Records of Processing Activities (ROPA). The DPO will use the ROPA to monitor compliance and adherence to the University's accountability and privacy by design/default obligations.
    • Role of the DPO in data breach incidents:
      • The DPO is responsible for investigating a data breach incident as part of their statutory task to monitor compliance and will follow the data breach reporting obligations as set out in the GDPR and regulatory guidance.