Overview of Structure General Data Protection Regulation (GDPR) Implementation Project Overview of Structure July 2017

GDPR Implementation Project: Governance Project Sponsor Margaret Lee GDPR Strategic Decision Making Board Director for Digital Head of Corporate Services Head of Internal Audit Caldicott Guardian (Childrens) Monitoring Officer Caldicott Guardian (Adults) Data Protection Officer Head of Legal Services Project Manager Scott Sammons Run through members and agreed names and reps Agree project meeting frequency and templates for reporting progress, issues etc. Data Protection Officer Head of Business Support IG Operations Lead Adult Social Care Operations Records Manager Children's Social Care Operations IG Officer (Data Sharing) Finance Representation Audit Manager Head of Payroll HR Representation Commercial & Procurement Manager Employee Comms Deputy County Solicitor Head of IT Security GDPR Operational Project Team

3. Third Party Management 5. Retention & Destruction GDPR Implementation Project: Workstreams & Deliverables 1. Governance 2. Assurance 3. Third Party Management 4. Collection & Use 5. Retention & Destruction Deliverables: Revised policy & procedures Revised PIA process Agreed risk approach Data Protection Officer Deliverables: Internal Assurance regime External Assurance regime Deliverables: List of 3rd parties by priority Develop & implement standard contract terms Revise Data Sharing Frameworks Deliverables: Privacy Notices Website privacy policy Consent management ROPA Deliverables: Agreed and published retention periods Process for managing & monitoring retention periods Agreed process for destruction of appropriate data 6. Rights 7. Security 8. Systems & Technology 9. Training & Awareness 10. Staff Data Deliverables: Revised complaints process Revised process & resources for SARs & FOIs Agreed Data Portability process Deliverables: Incident Process Agreed process on encryption standards Documented security controls Documented Integrity controls Documented Availability controls Deliverables: Required system changes Data Portability setup Anonymisation standards Deliverables: Training of DPO/Key roles Ongoing project team awareness Ongoing key messages to all ECC All staff training programme post project Deliverables: Changes to staff contracts / Notices Process for rights management Run through the workstreams and who we think should be on each one

GDPR Implementation Project: Timeline 2017 2018 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec + 1. Governance 2. Assurance 3. Third Parties 4. Collection & Use 5. Retention 6. Rights High level overview of the plan, more detail will be added once confirmed. 7. Security 8. Systems & Tech 9. Training 10. Staff Data

Jan Feb Mar Apr May Jun GDPR Implementation Project: Timeline 2017 Jan Feb Mar Apr May Jun Key Milestone: Initial Awareness Campaign Launched Key Milestone: Completion of Data Inventory Key Milestone: Revised complaints process Key Milestone: Data Portability Requirements defined Key Milestone: Internal Assurance Regime agreed Key Milestone: Risk Management Approach Agreed Key Milestone: Key role training programme agreed Key Milestone: Interim DPO role agreed & implemented

Jul Aug Sep Oct Nov Dec GDPR Implementation Project: Timeline Key Milestone: List of high priority contracts / DS agreements Key Milestone: Deployment of ROPA Database Key Milestone: GDPR DPO role agreed & implemented Key Milestone: Changes to website complete Key Milestone: Deployment of incident process Key Milestone: All employee training programme agreed Key Milestone: Agreed Data Portability Process Key Milestone: Encryption standards in place Key Milestone: Revised PIA process implemented Key Milestone: Revised policies and procedures in place Key Milestone: Security & Integrity Controls documented Key Milestone: Incident response process agreed Key Milestone: External Assurance Regime agreed Key Milestone: Website privacy policy changes agreed Key Milestone: Employee data changes made Key Milestone: Retention periods & policy agreed Key Milestone: Agreed Anonymisation standards Key Milestone: Notice & Consent management agreed

Jan Feb Mar Apr May + GDPR Implementation Project: Timeline 2018 Key Milestone: All staff training programme deployed Key Milestone: SAR & FOI process & resources deployed Key Milestone: Governance Framework fully deployed Key Milestone: Standard Contract Terms Agreed Key Milestone: Accepted level of third parties on new terms Key Milestone: GDPR DPO role agreed & implemented Key Milestone: Assurance programme deployed Key Milestone: All high risk system changes now in place Key Milestone: Data Portability process deployed Key Milestone: Retention and Destruction programme deployed Key Milestone: Completion of project awareness campaign