Appendix 1: Data Protection Framework
These guidance notes supplement the ICP-02 Data protection policy.
On this page
- The framework
- Leadership, governance and accountability
- Policies, procedures and notices
- Personal data lifecycle management and records
- Data subject rights and lawful processing
- Risk management and assurance
- Third party risk management
- Personal data security
- Training and awareness
- Breach response and monitoring
- Framework monitoring and continuous improvement
1. The Framework
All staff
1.1. This Data Protection Framework (illustrated in Figure 1) will enable the University of Bristol to comply with regulatory requirements and deliver governance and accountability over personal data processing. It will also enable the University of Bristol to use data more effectively, increase staff, student and stakeholder trust and benefit from the return on data privacy investments.
Leadership, governance and accountability
1.2. Provides a structure for management and decision-making regarding data protection and personal data processing and roles and responsibilities for delivering personal data protection and protecting privacy.
Policies, procedures and notices
1.3. Provides rules for how personal data is handled, how different roles carry out their responsibilities and gives transparency to individuals on how their personal data is processed.
Personal data lifecycle management and records
1.4. Provides the Records of Processing Activities (RoPA) for GDPR Article 30 and maintains this as the backbone to privacy activities.
Data subject rights and lawful processing
1.5. Provides the structure process, approach and tools to enable the facilitation of rights requests by data subjects.
Risk management and assurance
1.6. Provides methodology for identifying, tracking and managing data privacy risks and incorporation into wider University of Bristol risk management structures.
Third party risk management
1.7. Provides the capability to assess, understand and manage risk posed by third parties who process personal data.
Personal data security
1.8. Provides the capability to assess, understand and manage information security risk in partnership with information security teams at the University of Bristol.
Training and awareness
1.9. Provides staff and others with the knowledge and skills they need to protect personal data in their custody complying with University of Bristol policies and GDPR regulations.
Breach response and monitoring
1.10. Provides the mechanisms to ensure that potential breaches are identified, managed and reported in a timely manner with lessons learned.
Framework monitoring and continuous improvement
1.11. Provides an approach to reviewing and assessing privacy operations and implementing improvements.
