Appointing a data protection officer
Under the GDPR, maintained schools, academies, further education institutions and universities are all classed as public authorities and are required to appoint a DPO (data protection officer).
This person is responsible for monitoring the application of the Regulation and for advising and guiding the organisation to compliance. They are the point of contact for all data subjects and the supervisory authority, which in the UK is the ICO (Information Commissioner’s Office).
Schools in England and Wales are required to appoint their own DPO. In Scotland the local authority takes this responsibility, and in Northern Ireland the education authority is responsible for all schools.
What about independent schools?
The Regulation does not require independent schools to appoint a DPO but doing so demonstrates to data subjects and the ICO that you take data protection seriously.
What is a DPO?
Who is a suitable DPO?
- The DPO takes an independent monitoring and advisory role informing you of your data protection obligations and supporting your compliance.
- The DPO is the point of contact for data subjects and the supervisory authority.
- The DPO is an expert in data protection law, is adequately resourced and reports to the highest leadership level.
- The DPO can be external and shared across a group of schools – including those with formal relationships, such as a trust.
- The DPO can be an employee, but there cannot be a conflict of interest with other roles.
- The DPO advises on Data Protection Impact Assessments (DPIAs). A DPIA must be carried out where a planned or existing processing operation “is likely to result in a high risk to the rights and freedoms of individuals”.
Because the DPO must be independent and not involved in determining how or when data processing is conducted, it may be difficult to find someone within your organisation who is suitable for the role. The DPO does not need to be someone within your organisation. If you are part of a larger group, the group might appoint a single DPO.
Appointing an external DPO
You can also contract DPO services from a supplier – this has the advantage that you will be employing a fully trained and experienced professional.
Data protection training and DPO support services
We offer a selection of products and services to support your organisation’s GDPR compliance. Our certified GDPR training courses offer a structured learning path for data protection and information security professionals. Our EU GDPR Learning Path includes certificated entry-level DPO training courses, preparing colleagues to fulfil the DPO role. GRCI Law offers a DPO as a Service to support schools in fulfilling their responsibilities. Click the images to find out more.