Education organisations are facing a challenge to understand how changes to recent data protection law has changed their auditing and compliance obligations. The GDPR brought with it a range of accountabilities in areas such as risk management, information rights, breach management, cyber / IT security, data security, and staff training that organisations need to be in a position to evidence compliance.
Need help with the GDPR? Our most recent school-focused webinar outlines the risks associated with outsourcing the DPO role. The live recording is below in case you missed it.
Without having experts within the organisation who are specialists in the areas outlined above, how is an education organisation such as a school, college or university going to be confident in evidencing compliance and be able to do so on demand as that is required by law?The change in data protection law has created a mini-industry of baddies – ambulance chasers, cowboys and pirates. It is without doubt the various supervisory bodies will issue guidance in the use of the services provided by these characters, and we also suspect that over time the European Board for Data Protection will tighten or reissue their guidance on the principle for outsourcing of the Data Protection Officer.
Outsourced Data Protection Officer services are being marketed to education organisations from start-ups, one-man bands, and larger companies who have bolted on the service to a pre-existing help desk platform. In many of these cases, the individuals providing the services have little to no experience of data protection law and are in fact just regurgitating the GDPR and Data Protection Act 2018 verbatim. These types of services are themselves a breach of the regulation. They are the opposite of what the GDPR and associated data protection law is seeking to achieve. A deeper level of data protection law has been required because organisations have been so inadequate in self-regulating or abiding by previous laws.
To outsource your responsibilities to a grad in a call centre with a week's training on the GDPR is going to demonstrate an organisational attitude of wilful negligence, rather than the development of a proactive data protection culture that is required by law. Those schools, colleges, and universities that have done so, in good faith may I add, are at a more significant risk of being labelled wilfully negligent (and fined or otherwise reprimanded) than those organisations who have appointed an internal DPO with a potential conflict of interest where measures have been taken to reduce the conflict of interest impact.
So what makes a ‘baddie’ when it comes to data protection and associated law?
If you’ve ever had a car accident, this is much the same. A firm that generally has more people working phones than doing any proper work and who will have systems that pick up intelligence through social media and news outlets to target your organisation and offer their services.
Have added to their services a data protection or cyber security service and are targeting your industry vertical (such as education). Appointing an organisation in these areas without expert knowledge for these services is likely to be deemed wilfully negligent. You will have to evaluate and document whether the advice provided to you is transferable and relevant to education (or other vertical).
They already have you under one service or product contract and are suggesting, or incentivising you to take a data protection or cyber security service. It is highly likely that if you use a company for IT products or services, such as internet / email / MIS / managed IT service, and then appoint them as an outsourced DPO or DPO advisor, you could be willfully negligent of your duties and liable for financial or other penalties.
Independent legal advice should be sought if you categorise your organisation as being in the company of any of the above.
What is needed is expert understanding of the education sector, the technology systems, databases, the data, the processing activities, and a track record that gives credibility. 9ine’s DPO Essentials service provides this peace of mind.
Our most recent webinar outlines the risks associated with outsourcing the DPO role. The school-focused webinar answers key GDPR questions, including:
a) What is the role of a DPO, and what are they responsible for?
b) What are the apparent business drivers behind outsourcing a DPO?
c) What are the misconceptions about the role of a DPO?
meeting legal obligations
In the lead up to and during the summer break, confidence is required that whilst key decision makers are on leave, the organisation can still meet its legal obligations. If there were an IT system failure, a cyber security attack, information rights request, safeguarding concern or data protection breach, the organisation could deal with it. It’s those organisations working with 9ine that have this confidence. Our team of education experts in data protection, cyber security, technical and child protection are on hand and available throughout the summer to all organisations should they be needed. Think of us as your emergency car breakdown recovery service.
For absolutely no charge, no money changing hands, no complex agreement that last years, your school, college, or university can have confidence and peace of mind that any GDPR related information request or breach, cyber security attack or incident, safeguarding or child protection concern will be expertly triaged and advice provided completely free of charge. You can redirect your DPO contact to 9ine’s DPO Essentials service desk and have confidence that you are compliant with your legal obligations. There’s no catch and no hidden charges, but absolutely every intention to support education professionals in the UK, Europe, Africa and farther afield.
Get in touch now to give your organisation the support it needs, or sign up using the red pop-up box. I am providing our resources and the engine of 9ine for no cost to schools as I am appalled at the canvassing, hoodwinking, stupidity, and negligent acts of many, not a few organisations.
Supporting my assertions on this topic, we recently hosted a webinar with Kemp IT Law on the outsourced DPO role. Click below to watch the live webinar recording.