Thank you all for your responses,
I tend to agree that the GDPR will require the appointed DPO to report to an executive member as their line manager, although it seems as though differences in organisational
structures mean this will have different implications (some will need no change, others might require a new role, which I think we will).
I also think that (at least for now) I will suggest SARs being handled by the DPO – although we don’t have a large team dealing with info governance here.
The guidance from the A29WP released before Christmas could have been a bit clearer!
Thanks again,
Dan Palmer-Dunk
Information Compliance Officer
University of Hull