Re: GDPR - DPO Role

["Gregg, Christopher S." <csgregg () STTHOMAS EDU>]

I'd be curious to hear what others are doing as well, and if there is a difference between universities of different 
sizes and/or their EU footprint.

The advice at the recent EDUCAUSE SPC session on GDPR was that most US universities don't really need an official DPO.  
For those that do, the DPO should be a person who doesn't have operational responsibilities that could be a conflict of 
interest, and answers directly to the board.  We don't have anyone like that at our institution.  We were initially 
thinking we needed a DPO, and that it would be me (by default more than anything).  We're of a similar size and 
structure as you at Loyola.  We don't have a campus privacy officer, and we have a very small in house legal office 
that tries to stay in a strictly advisory role.

Our latest thinking is that we don't need an officially designated DPO, but my office (InfoSec) will be the ones that 
monitor a shared privacy mailbox and process any GDPR related requests that come in.  This is all fluid at this point 
as we prepare for late May and track the various developing interpretations.

Thanks,

Chris



Chris Gregg
Associate Vice President of Information Security & Risk Management, CISO
Information Technology Services (ITS)
csgregg () stthomas edu<mailto:csgregg () stthomas edu>
p 1 (651) 962-6265
University of St. Thomas | stthomas.edu<https://www.stthomas.edu>



From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Pardonek, Jim
Sent: Friday, April 27, 2018 8:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] GDPR - DPO Role

A quick question, how is your institution handling the role of the Data Protection Officer?  We do not feel that we are 
large enough to have a separate DPO but we aren't sure where or in what area the responsibilities for the role would 
land.  Our thoughts are either in the Information Security Office, General Counsel, or possibly a Sr. VP that reports 
directly to the President.  Our internal auditor's feel that General Counsel would be the right place but they are 
reticent to take on the task.

Any suggestions as to what you are doing would be great.

Jim

James Pardonek, MS, CISSP, CEH, GSNA
Information Security Officer
Loyola University Chicago
1032 W. Sheridan Road | Chicago, IL  60660

*: (773) 508-6086

Loyola University Chicago will never ask your for your username or password.
For the lastest information security news at Loyola, please follow us online,
Twitter: @LUCUISO
Facebook: 
https://www.facebook.com/lucuiso/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Flucuiso%2F&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7C410443cfe4ea4cb250d208d5ac42390d%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636604322850735223&sdata=ea31v1Muq2Uu%2FI4aNIvEMdnFZhHDcZPK2VlWK3mnu1M%3D&reserved=0>
Our Blog http://blogs.luc.edu/uiso/