This is my second blog in a series of posts discussing how schools can prepare for the General Data Protection Regulation (my first blog is still available here if you missed it). This time round I’m focussing on what is probably the most significant change for schools that will be introduced as part of GDPR – the role of the Data Protection Officer.
The GDPR will require public authorities to appoint a Data Protection Officer (DPO). The person undertaking this role will need to be qualified to support on all matters data protection and have the appropriate legal knowledge and awareness of applying this within the education sector.
The introduction of this new role will present several immediate issues for schools.
School leaders and Governors will be expected to take the advice provided by their DPO into account when considering decisions which may involve new or changed uses of the personal data the school is responsible for (for example, introducing a CCTV system, changing HR processes, asking children and parents to use an online homework system, etc).
Where a school or trust is deciding to implement change, the DPO may be tasked with undertaking a DPIA or data protection impact assessment (another exciting new feature of GDPR!). As a senior member of staff within the organisation, they will also have the power to influence and lead on implementing any changes to working practices.
Schools and trusts are unlikely to be awash with the funds necessary to create new posts for DPOs, nor are they likely to have existing staff with either the capacity or skills/knowledge required to undertake the specialist duties of this role.
The DPO will be required to report directly to the most senior level of management in the organisation (Headteachers/Governors/Directors) and cannot be dismissed for undertaking duties in relation to their job. In doing so, they will also be expected to monitor compliance, offer independent scrutiny and advice on decision making – meaning that appointing an IT technician, or office administrator who has asked for some extra hours is probably out of the question!
Importantly, the DPO will also help to shape the “data culture” of the organisation, ensuring that all staff have access to appropriate levels of training and support on matters of data protection and leading on embedding this practice within the organisation.
For multi-academy trusts, this role will also be responsible for advising on potential inconsistencies in practice across academies, a likely source of risk for most trusts.
There is some good news…for schools and academy trusts alike, the GDPR will permit public authorities to commission in a Data Protection Officer as a service. Whichever route schools choose to take in securing the support of a DPO, they will need to act quickly. The demand for support leading up to May will be high and the skills pool is currently very shallow. With only 8 months left until the GDPR comes into force, time is already running out to ensure your school/trust has made arrangements for accessing the services of a Data Protection Officer.
James Plant is the Operations Director at S4S and specialises in supporting schools and academies with all matters of data protection.
For more information about how S4S support schools, academies and trusts, please contact us:
Telephone: 01902 203990