Whatever the size and setting of your school, the GDPR (General Data Protection Regulation) places high expectations on you to protect the personal data in your care. This is especially true of children’s personal data, with extra requirements for how special category data such as medical details and biometrics is handled. You are accountable and must demonstrate your commitment to the Regulation by putting in place appropriate processes and procedures and, under Article 37(1), appointing an appropriate DPO (data protection officer).
The DPO requirement applies to all public authorities, which means all maintained schools and academies must appoint a suitable individual to fill the position.
Find the answer to many common queries relating to schools and the DPO below.
What is a DPO?
- The DPO takes an independent monitoring and advisory role to inform you of your data protection obligations and support your compliance with the Regulation.
- They are the point of contact for data subjects, e.g. pupils, parents and staff, and the ICO (Information Commissioner’s Office).
- They should be an expert in data protection law, adequately resourced, and report to the highest leadership level.
- They can be external and shared across a group of schools – including schools with formal relationships, such as a trust, and those without.
- They can be an employee, but there cannot be a conflict of interest with other roles.
- They provide advice regarding DPIAs (data protection impact assessments). A DPIA must be carried out where a planned or existing processing operation “is likely to result in a high risk to the rights and freedoms of individuals”. If you are introducing a new system such as an MIS, catering or parents’ payment system, a DPIA must be carried out.
What skills does the DPO need?
The GDPR does not specify a required level of expertise for DPOs, but it must be proportionate with the sensitivity, complexity and amount of data you are processing. The DPO must have expertise in national and European data protection laws and practices, and an in-depth understanding of the Regulation. They should understand your school’s processing, the information systems used and your data security and data protection needs, and have sound knowledge of the school’s administrative rules and procedures.
Who can be the school’s DPO?
The Regulation states that the DPO should be impartial and that there must not be any conflict of interest. This makes it difficult to appoint a current member of staff to the role as there is likely to be a conflict with their other duties.
Do independent schools need a DPO?
Although not required by the GDPR, appointing a DPO is a wise decision for independent schools and demonstrates that you take data protection seriously.
Is an external DPO suitable for schools?
Choosing an external DPO service brings many benefits. The right DPO already has extensive data protection and legal knowledge and can offer a completely impartial service.
To ensure value for money, the external DPO can be supported by an internal head of data protection. This person can be known as the responsible person or data protection lead but never the DPO. With guidance from the external DPO, they manage most of the compliance activities, such as organising and delivering training, implementing the processes and procedures and administering data breaches and subject access requests, always referring to the DPO’s guidance and detailed expertise.
How to choose the right DPO service for your school
When choosing the service for your school, consider the credentials of the individual or the organisation. Remember that you are ultimately responsible for any data processing in your school, so you need accurate and timely advice and guidance. Research the DPO’s data protection experience, if they have a legal background, their availability in an emergency and what other services – such as training and software tools – they offer.
How IT Governance can help you
Our market-leading and trusted products and services provide a complete and cost-effective GDPR package. We will help you meet regulatory expectations, demonstrate commitment and remove the worry of choosing an appropriate DPO.
Support your DPO with GDPR.co.uk
- Built specifically for schools, this platform supports your school or trust’s GDPR compliance and your DPO. It includes training for all staff, breach recording and reporting, data mapping, supplier tracking and subject access request recording.
- Your own DPO who is also a privacy lawyer and available via telephone and email as and when you need them.
- The GDPR.co.uk compliance platform, which includes training for all staff, breach reporting and supplier mapping.
- A detailed gap analysis audit and report, ensuring we have a sound knowledge of your school.
- GDPR training for your key contact, delivered by our experienced consultants.
- Training materials for whole-staff training.
- Data flow mapping software.
- A document template toolkit, enabling you to quickly build the policies and procedures necessary for GDPR compliance.