Improving GDPR compliance at HR
A recently closed project focussed on the anonymisation of personal data held by the University Human Resources department, in line with General Data Protection Regulation.
The Human Resources department (HR) collects personal data of University staff, some of which can be considered personally identifiable data. Under the General Data Protection Regulation (GDPR) such data must be anonymised, or otherwise deleted.
Replacing the data with anonymous entries however impacted the functionality of HR reporting due to the loss of granularity. As a result, a hashing mechanism which replaced the data with a random number sequence was used instead. This allowed for HR reporting to function correctly while still insuring the data was anonymised.
The production of the Research Excellence Framework (REF) reports was also impacted by the anonymization, however in this case a hashing mechanism could not be used. Instead, a suitable environment based solution was identified which could provide an anonymised database while also retaining the ability to produce the REF reports.
While an implementation plan was designed, due to the relatively short-term need for the solution it was agreed not to implement the plan but rather to put it on hold, knowing that it could be implemented in the future if required.
This project is part of the wider aim of the University of Edinburgh to implement required system changes and become GDPR compliant. This process also includes updated data protection policy and guidelines as well as data protection training for all staff.