Appointing a data protection officer: A quick guide for schools and multi-academy trusts

Whatever the size and setting of your school, the General Data Protection Regulation (GDPR) places high expectations on protecting the personal data of your data subjects, especially children. Sensitive personal data is a specific set of “special categories” that must be treated with extra security, such as health and biometric data. Schools are accountable and must demonstrate commitment to the new Regulation by putting in place appropriate processes and procedures and, under Article 37(1), appointing an appropriate data protection officer (DPO).

What is a DPO?

  • The DPO takes an independent monitoring and advisory role informing you of your data protection obligations and supporting your compliance.
  • They are the point of contact for data subjects and the Information Commissioner’s Office.
  • They are experts in data protection law, are adequately resourced and report to the highest leadership level.
  • They can be external and shared across a group of schools – including those with formal relationships, such as a trust.
  • They can be an employee, but there cannot be a conflict of interest with other roles.
  • They provide advice regarding Data Protection Impact Assessments (DPIAs). A DPIA must be carried out where a planned or existing processing operation “is likely to result in a high risk to the rights and freedoms of individuals”.

Choose your DPO carefully

The DPO’s required level of expertise is not defined, but it must be proportionate to the sensitivity, complexity and amount of data you are processing. The DPO must have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR. They should understand your school’s processing, the information systems used, and your data security and data protection needs, and have a sound knowledge of your school’s administrative rules and procedures.

Choosing an external DPO service brings many benefits. An external DPO will already have extensive data protection and legal knowledge, and can offer a completely impartial service. To ensure value for money, they can be supported by an internal head of data protection. This person is known as the ‘responsible person’. With guidance from the DPO, the responsible person can manage most of the compliance activities, such as organising and delivering training, implementing the processes and procedures, and administering data breaches and subject access requests.

Assessing the suitability of DPO services

When choosing a DPO service for your school, consider the credentials of the individual or organisation, remembering that you are ultimately responsible for the data processing in your school. Research their data protection experience, if they have a legal background, their availability in an emergency and what other services, such as training and software tools, they offer.

IT Governance’s New DPO as a Service for Schools

As an individual school or trust, our DPO service for schools offers you the highest level of expertise and advice available at a competitive price.

As required by the Regulation, our DPO service is backed by professional, practical data protection law experience and our in-house legal team. Our service provides the impartial and independent expertise you need with the essential flexibility and affordability you demand.

What’s included in our service?

Additional services available