The GDPR makes it a requirement for all public authorities (state funded schools) to have a designated Data Protection Officer (DPO). All other types of school need to document and undertake an internal analysis to determine whether or not a DPO is to be appointed. The analysis is part of the principle of accountability. Where a school determines a DPO is not required, a Data Protection Lead (DPL) is still required, with many of the responsibilities remaining the same. In either case, 9ine’s DPO Essentials service can support your DPO or DPL in managing their duties.
Outsourcing the DPO
The GDPR allows for organisations to outsource the responsibilities of the DPO on a service contract. In digesting the guidance on outsourcing, the purpose of being allowed to do so is more in common with larger organisations who may appoint a contractor or consultant that will be based within the organisation. If your school is planning on outsourcing the responsibility for the role of the DPO, you need to be aware of the implications, likely areas of additional cost and potential contractual quagmire you will be entering. This article provides an overview of the DPO responsibilities, the impact of outsourcing full responsibility and the impact on your school.
Knowledge and accessibility in school
The GDPR is explicitly clear on the role, activities and responsibilities of the DPO. In considering outsourcing, your leadership need to answer how the DPO service will do the following:
- Be able to foster a data protection culture
- Be involved properly and in a timely manner in all issues relating to data protection
- Be a sounding-board for discussion and part of your working groups associated with managing data
- Participate regularly in meetings with senior and middle management
- Have a presence in meetings where decisions are made with data protection implications
- Be able to make their dissenting opinion to the highest management level
- Have due regard to the risk associated with the processing of data in your school, taking into account the nature, scope, context and purpose of processing
Without having a physical presence in your school it is almost entirely impossible to evidence (given the principle of accountability) how a remote service DPO contract can fulfil the obligations associated with knowledge and accessibility.
Your school must provide the necessary resources to evidence compliance with the regulation. Organisations cannot legitimise a breach of the GDPR for lack of resources. The DPO must be provided with the necessary resources, must not receive instructions regarding the exercising of their duties and have adequate financial, infrastructure and staff where required. Your school also needs to have the following in place:
- The opinion of the DPO must always be given due weight. In case of disagreement, the reasons for not following the DPO’s advice must be followed
- Necessary access to HR, legal, IT and security services
- Where there is a breach, facilitate liaison with the supervisory authority and execute on putting in place the resources needed to manage the breach
By outsourcing the DPO role, you are giving authorisation and autonomy in the spending of your financial resources to the outsourced provider. Without good reason, you will have little room for challenge of their decisions in spending your financial resources. You are placing yourself at risk to the provider using their own in house legal, IT, HR and security expertise, leading to potentially unknown and uncontrolled spend. Don’t be blurred by headline grabbing costs of a DPO service as it is the additional charges where outsourced providers will be seeking to make their profits.
Position of a DPO appointed under a service contract
Under law, the contract you sign with an outsourced DPO service cannot be unfairly terminated. Additionally, those people who work for the outsourced provider cannot have their contracts unfairly terminated. This means you are inadvertently signing up to a contract, provided by resources you have no control over, with little or no influence on quality, for an indefinite period and with reduced contractual abilities to terminate. Under the EFSA Financial Handbook (England state school funding guidelines) it would be likely deemed inappropriate to agree or sign-up to such contracts without significant due diligence. In most other schools or organisations, this type of contract would likely require governor or trustee approval.
The Article 29 WP guidelines on the DPO state:
“The selective and pragmatic approach should help DPOs advise the controller [your school / organisation] what methodology to use when carrying out a DPIA, which areas should be subject to an internal or external data protection audit, which internal training activities to provide to staff or management responsible for data processing activities, and which processing activities to devote more of his or her time and resources to.”
In demonstrating the principle of accountability, we at 9ine find it very difficult to understand how any service contract can undertake the requirements of the above statement without being onsite.
Build in-house capability and capacity, providing development opportunities for your staff
The GDPR is an opportunity for organisations to map data and information flows, assess the risks of that processing activity to individuals, create efficiencies, improve the way you work and secure the personal data of your staff, students and parents. In outsourcing the DPO role you are likely giving up that opportunity. You are also forever reliant on external service companies to provide a role that is akin (in legal terms) to that of your Designated Safeguarding Lead / Child Protection Officer. Would you ever outsource that?
There should not be a knee-jerk reaction to outsourcing. Do not worry if you don’t have the internal expertise in ‘national data protection law’, the GDPR or within cyber security that the guidance mandates. Every organisation in the EU is in exactly the same position and the people with those skills do not exist at this moment in time. Building competence in your school / organisation in each of those areas is part of the compliance programme. Where you do not have the expertise, document that as a risk, and include a mitigating action that provides you with interim support in those areas. Your mitigating action will also be that you have an internal training programme to develop expertise in those areas.
- Appoint a governor / trustee with the responsibility for interpreting the Article 29 Working Party guidance on the regulation
- Identify a team of three people (expertise in management, HR and IT ) to carry out the duties of the DPO. One of the three being the nominated DPO or DPL.
- It is likely there will be a conflict of interest with one or more of the three you have identified. Don’t let this be a deterrent. Working together will allow more objective and independent decisions, minimising potential conflicts of interest. Where decisions cannot be agreed on, seek guidance from the governor / trustee, or from experts such as 9ine. Log this approach, the potential conflict of interest, and how you have sought to mitigate it within your risk log.
- Allow the DPO team to come up with their own ideas and suggestions to deliver GDPR compliance given the limited budget you have
- In all instances with the GDPR, apply common sense!
Supporting the development of your in-house Data Protection Officer / Data Protection Lead
9ine's DPO Essentials service has been specifically designed to provide a high quality, compliant DPO support service for schools and other organisations. We have purposely structured the service to support schools in building in-house competence and capability. The service sets out your obligations, gives you the confidence in evidencing the principle of ‘accountability’ and will respond in providing you proportionate, objective and independent advice and guidance for Information Rights requests (SARs, erasure, rectification, restricted processing, portability) and personal data breach management. More information on the service can be found here.
DPO / DPL Webinar - Monday 16th April 2018
Join us on April 16th 2018 for our webinar on the appointment and role of the DPO / DPL in your organisation. The school focused webinar will last about an hour and provide independent and objective guidance. Registration here.
Following the links below will take you to previous webinars from 9ine on the GDPR: