← Back to the Risk Register



Risk Summary

GDPR Not Fully Complied with

Risk Detail

The GDPR may not be full comlied with across the full collaboration.


Could have an impact on services and the collaboration of some sites are unable to run services, or face legal challenges.


Due diligence in trying to implement the requirements of the GDPR, and by having clear policy frameworks. Informaing sites and collaborators of their responsibilities under the regulations.


We have a strong set of policies covering most of the use of the infrastructure - these were put in place to satisfy our needs to be able to trust each other and to satisfy the requirements in some countries even before the GDPR. Some of these have been slightly updated to be consistent with the GDPR (AUP, accounting policy, etc.). We have a new Privacy Notice, and a template (undergoing approval) to be applied to essential services. Each site running services must ensure that it complies with the needs in terms of data collection, processing, and storage.

There is still uncertainty in the interpretation of the regulations in some cases - particularly regarding how they apply to a distrbuted scientific infrastructure.

Our strategy is to to apply what we clearly understand as requirements, to be open and clear about how information is collected and retained, and be ready to adapt as interpretations of the regulations are clarified over time.

Risk Impact
Risk Likelihood
Risk Severity

1: never expected to happen | 2: could happen but very unlikely | 3: could well happen | 4: will probably happen

1: we can deal with it, no problem | 2: a bit of a hassle but not too bad | 3: can be managed, but with significant effort | 4: crisis


← Back to the Risk Register