With the laws on data protection due to change, we’ve teamed up with GDPR in Schools (GDPRiS) to produce materials to help schools prepare for the new rules.
When the General Data Protection Regulation, or the GDPR, becomes effective on Friday 25 May 2018, all state-funded and private schools, in addition to nurseries and child care organisations, will be required to name a data protection officer (DPO).
Who schools appoint as their data protection officer is very much within their own hands, as there are no formal qualifications required for the role and the appointed person can either be a member of staff or someone from an outside organisation.
The GDPR stipulates that all public bodies appoint a DPO, while private schools and nurseries are also required to make an appointment as their core activities involve regular and systematic monitoring of data subjects on a large scale.
Responsibilities and requirements for the DPO
The responsibilities of the DPO include the following, but may also encompass additional tasks: -
- Educating the school and its staff on compliance requirements
- Training staff involved in data processing
- Conducting audits to ensure compliance and address potential issues proactively
- Acting as the point of contact between the school and GDPR Supervisory Authorities
- Monitoring performance and providing advice on the impact of data protection efforts
- Maintaining comprehensive records of all data processing activities
- Interconnecting with data subjects or parents to inform them about:
- How their data is being used
- Their rights to have their, or their child’s, personal data erased
- The measures in place to protect their, or their child’s, personal information
Qualifications for DPOs
While the GDPR does not specify any relevant qualifications required to act as a DPO, it does stipulate that DPOs are required to have “expert knowledge of data protection law and practices.”
Within those guidelines, the DPO can be an existing member of staff and related organisations – such as a multi-academy trust – may use the same individual to oversee data protection collectively, provided that it is possible for all data protection activities to be managed effectively. If organisations are to use a shared DPO, they must be easily accessible by anyone from any of the related organisations whenever needed.
With this in mind, the GDPR requires that the DPO’s information is released publicly and provided to all regulatory and oversight agencies.
Finding a DPO
Schools need to have their DPOs in place now, before the new regulations come into effect on Friday 25 May 2018. The knowledge base of the DPO needs to be fairly broad, as they must have expertise in data protection law and practices, as well as a complete understanding of the school’s IT infrastructure, technology and technical and organisational structure.
Ideally, as the DPO will most likely operate at a senior level, they’ll need excellent management skills and the ability to work easily with internal staff at all levels as well as external authorities.
The chosen DPO needs to tread a fine line between internal and external pressures, ensuring compliance within the teams and staff of the school, while also alerting the authorities of non-compliance if such an event occurs.
When the GDPR comes into force, there is likely to be a steep learning curve for all involved, meaning that appointing the right DPO for your school or group should be high on your list of priorities.
GDPR in Schools (GDPRiS) is an intuitive, cloud-based data protection monitoring solution for schools, providing Data Protection Officers, schools and 3rd party data processors with the tools they need to take a pro-active and thorough approach to the new General Data protection Regulation (GDPR). Find out more about GDPRiS here.