Over the last decade, universities have experienced a rapid increase in the volume, value, and use of data - driven by digital transformation, evolving privacy regulation, and accelerated adoption of analytics and AI. While these initiatives deliver significant benefits, they also amplify the risk of unnecessary data exposure, misuse, and leakage across teaching, research, and administrative domains.

For higher education institutions, data has never been more critical or more complex to manage. Balancing open access, collaboration, and innovation with regulatory obligations and security expectations presents a unique set of challenges that many universities continue to struggle with.

This presentation explores the practical realities of implementing effective data protection capabilities within a university environment. We will examine common challenges faced when defining data protection strategies, aligning stakeholders, and operationalising controls across diverse systems, users, and data types. Attendees will gain insight into why traditional, tool‑centric approaches often fall short.

The session will also outline a pragmatic, risk‑based approach to improving data protection maturity with a focus on reducing exposure and meeting regulatory expectations while minimising disruption to staff and students. Real‑world examples and lessons learned from industry will be used to illustrate how universities can achieve meaningful risk reduction without compromising academic outcomes or user experience.