12.1 The University has a designated Data Protection Officer with overall responsibility for data protection compliance in accordance with the duties set out in GDPR.
12.2 The Data Protection Officer is responsible for:
12.2.1 Maintaining this policy and all records relating to data protection;
12.2.2 Providing guidance, support, training and advice on compliance with GDPR;
12.2.3 Liaison with the Information Commissioner’s Office;
12.2.4 Taking legal advice on matters relating to the GDPR where necessary;
12.2.5 Supervising the management of access and other requests from data subjects;
12.2.6 Managing the procedure for the reporting and resolving of personal data breaches;
12.2.7 Reviewing and auditing the way personal information is managed, and ensuring that methods of handling personal information are regularly assessed and evaluated;
12.2.8 Monitoring and reporting on compliance with data protection training.
12.3 Directors of Services and Deans of Schools are responsible for ensuring awareness of and compliance with this policy in their areas
12.4 The Director of Digital Services is responsible for maintaining the University’s Digital Services capability Policies in liaison with the Data Protection Officer.
12.5 Principal investigators are responsible for personal data management in their own research studies and for ensuring that secure information systems and operating procedures are in place with regards to data handling. Where personal data is processed, research staff and students must adhere to the personal data processing requirements set out in this policy, as well as the University’s Code of Practice for Research.
12.6 Staff training reinforces personal responsibility and good security behaviours, including how to recognise and report breaches