This policy is owned by the Information Management and Compliance Department. The review process will be conducted by the Data Protection Officer on a biennial basis to ensure the continued effectiveness of the policy, and taking into account any changes to legislation, national guidance, etc.
The scope of the GDPR audit scope is agreed in consultation with the stakeholders to identify relevant data protection risks within the organisation. It takes into consideration both generic data protection issues as well as specific concerns about data protection policies and procedures.