Educause Security Discussion mailing list archives
Re: GDPR - DPO Role
From: "Gregg, Christopher S." <csgregg () STTHOMAS EDU>
Date: Fri, 27 Apr 2018 13:53:00 +0000
I'd be curious to hear what others are doing as well, and if there is a difference between universities of different sizes and/or their EU footprint. The advice at the recent EDUCAUSE SPC session on GDPR was that most US universities don't really need an official DPO. For those that do, the DPO should be a person who doesn't have operational responsibilities that could be a conflict of interest, and answers directly to the board. We don't have anyone like that at our institution. We were initially thinking we needed a DPO, and that it would be me (by default more than anything). We're of a similar size and structure as you at Loyola. We don't have a campus privacy officer, and we have a very small in house legal office that tries to stay in a strictly advisory role. Our latest thinking is that we don't need an officially designated DPO, but my office (InfoSec) will be the ones that monitor a shared privacy mailbox and process any GDPR related requests that come in. This is all fluid at this point as we prepare for late May and track the various developing interpretations. Thanks, Chris Chris Gregg Associate Vice President of Information Security & Risk Management, CISO Information Technology Services (ITS) csgregg () stthomas edu<mailto:csgregg () stthomas edu> p 1 (651) 962-6265 University of St. Thomas | stthomas.edu<https://www.stthomas.edu> From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Pardonek, Jim Sent: Friday, April 27, 2018 8:25 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] GDPR - DPO Role A quick question, how is your institution handling the role of the Data Protection Officer? We do not feel that we are large enough to have a separate DPO but we aren't sure where or in what area the responsibilities for the role would land. Our thoughts are either in the Information Security Office, General Counsel, or possibly a Sr. VP that reports directly to the President. Our internal auditor's feel that General Counsel would be the right place but they are reticent to take on the task. Any suggestions as to what you are doing would be great. Jim James Pardonek, MS, CISSP, CEH, GSNA Information Security Officer Loyola University Chicago 1032 W. Sheridan Road | Chicago, IL 60660 *: (773) 508-6086 Loyola University Chicago will never ask your for your username or password. For the lastest information security news at Loyola, please follow us online, Twitter: @LUCUISO Facebook: https://www.facebook.com/lucuiso/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Flucuiso%2F&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7C410443cfe4ea4cb250d208d5ac42390d%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636604322850735223&sdata=ea31v1Muq2Uu%2FI4aNIvEMdnFZhHDcZPK2VlWK3mnu1M%3D&reserved=0> Our Blog http://blogs.luc.edu/uiso/
Current thread:
- GDPR - DPO Role Pardonek, Jim (Apr 27)
- Re: GDPR - DPO Role Penn, Blake C (Apr 27)
- Re: GDPR - DPO Role Gregg, Christopher S. (Apr 27)