An overview of the role of a school’s DPO
If your school is a maintained school or academy, then it is classed as a public authority and, under the GDPR, must appoint a DPO. This person is responsible for monitoring the application of the Regulation and advising and guiding the school on data protection. They are the point of contact for all data subjects and the supervisory authority, which is the Information Commissioner’s Office in the UK.
Schools in England and Wales are required to appoint their own DPO. In Scotland, the local authority takes this responsibility, and in Northern Ireland, the education authority is responsible for all schools.
What is a data
- The DPO takes an independent monitoring and
advisory role to inform you of your data protection obligations and support
- They are the point of contact for data subjects
and the Information Commissioner’s Office.
- They are expert in data protection law,
adequately resourced, and report to the highest leadership level.
- They can be external and shared across a group
of schools – including schools with formal relationships such as a trust and
- They can be an employee, but there cannot be a
conflict of interest with other roles.
- They provide advice regarding Data Protection
Impact Assessments (DPIAs). A DPIA must be carried out where a planned or
existing processing operation “is likely to result in a high risk to the rights
and freedoms of individuals.”
Choose the data
protection officer carefully
The required level of expertise of the DPO is not defined
but it must be proportionate with the sensitivity, complexity and amount of
data you are processing. The DPO must have expertise in national and European
data protection laws and practices and an in-depth understanding of the GDPR.
They should understand your school’s processing, the information systems used
and your data security and data protection needs and have a sound knowledge of
the school’s administrative rules and procedures.
The benefits of an external DPO
Choosing an external DPO service brings many benefits. The
right DPO already has extensive data protection and legal knowledge and can
offer a completely impartial service. To ensure value for money, the external DPO
can be supported by an internal head of data protection. This person can be known
as the ‘responsible person’ but never the DPO. With guidance from the DPO, they
manage most of the compliance activities, such as organising and delivering
training, implementing the processes and procedures and administering data
breaches and subject access requests. Always referring to the DPO’s guidance
and detailed expertise.
suitability of DPO services
When choosing the service for your school, consider the
credentials of the individual or the organisation, remembering that you are
ultimately responsible for the data processing in your school and need accurate
and timely advice and guidance. Research their data protection experience, if
they have a legal background, their availability in an emergency and what other
services – such as training and software tools they offer.
GDPR.co.uk’s DPO for service for schools
We are now offering a DPO service for primary schools with support from our law firm, GRCI Law. We have based the service on the needs of schools and the cost is only £395 per primary school.