There is confusion in regard to the appoint of a Data Protection Officer (DPO), their responsibilities, the Data Controller's responsibility to the DPO, and also whether those obligations dissipate if a DPO isn't legally required. This article distils the 25 page guidance from the Article 29 Working Party on DPOs, providing you with useful pointers and commentary.
For more information on how we can support your organisation see our DPO Essentials Service here.
Appointment of a Data Protection Officer
All Public Authorities (maintained, Academy, MATs), by law, are required to appoint a Data Protection Officer (DPO). Under the principle of accountability, all independent and international schools (fee paying) must undertake an analysis to determine whether or not a DPO should be appointed. The Article 29 Working Party guidance on DPOs makes it clear that organisations are encouraged to appoint a DPO on a voluntary basis, unless it is obvious that this designation is not required. Regardless of the formal appointment of a DPO or not, the majority of the tasks they are designated with are mandated to the Data Controller (your school), meaning someone within your organisation needs to undertake them. 9ine’s DPO Essentials service has been designed to reduce the time and complexity in complying with the GDPR regulation and is ideal in supporting your DPO or where a DPO is not appointed, the individual who is responsible for data protection.
Obligations on your school in managing the role of a DPO
Under the GDPR, your school has a corporate responsibility to ‘implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is in accordance with [the regulation]’. The DPO role is present to assist the school in monitoring internal compliance with the regulation. 9ine’s expertise on data protection and the GDPR supports your school and your DPO with efficiently and effectively managing compliance.
Legal duties to which your school must abide:
Position of the DPO
The school is the data controller and therefore remains responsible for compliance and must be able to demonstrate how it achieves compliance. The DPO’s role is to support the school in doing so. The school is required to ensure the DPO is consulted on in anything that impacts upon data protection and that the DPO is specifically ‘involved, properly and in a timely manner, in all issues which relate to the protection of personal data’. It is advised that schools set guidelines or a calendar of activity for when and how the DPO should be consulted. Furthermore, it is also required that:
- The DPO is involved at the earliest stage in all issues relating to data protection
- The DPO is seen as a discussion partner within the organisation
- The DPO is invited to participate in meetings of senior and middle management
- Where the school does not follow the advice of the DPO, document the reasons are documented
- The DPO should be given the possibility to make their dissenting opinion clear to the highest management level
- An annual report of the DPOs activities is presented directly to the governing body (highest management level)
The DPO has a number of specific duties, in particular to:
- Collect information to identify processing activities
- Analyse and check the compliance of processing activities
- To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise of data protection impact assessments; train staff and conduct internal audits.
- Inform, advise and issue recommendations to the controller or the processor (importantly your school DPO may identify issues with the processing of third party processes)
You still need to complete the majority of tasks set-out above even if you do not legally have to appoint a DPO.
The GDPR puts into law a number of protections to ensure the DPO can perform their duties with sufficient autonomy and with sufficient resources. As a data controller, your school cannot direct the DPO to deal with a data protection matter in a particular way, influence the outcome by pressing the importance of specific considerations, or instruct the DPO to take a certain interpretation of the law. Your school needs to evidence how the DPO is acting independently and making decisions through an objective process. Through the DPO Essentials service’s Termly Reviews, 9ine will provide your school with the confidence that our advice, guidance and decisions are being made independently and objectively.
In enabling the DPO to undertake their role, the school needs to provide them with the ‘necessary resources’ to do so. Given the nominated DPO within your school is likely to have other duties, the school is legally bound to assess the impact of the DPO role upon the nominated individual and allow the DPO to make an objective decision on the support they require. There must be a correlation between the type, complexity and sensitivity of data being processed and the resources you apply to support the DPO. An analysis of this will be required, a judgement made and documented for evidence. The supervisory authority will request your assessment of resources applied to the role when you have a reportable breach. In summary, your school needs to provide the DPO with the following:
- Support from the governing body or board of trustees
- Designate time for them to undertake their duties
- Provide resources or expertise for them to support them in providing objective guidance
- Provide the necessary financial resources for external HR, legal, IT and security support
- Provide continuous training
9ine’s DPO Essentials service supports your school in making evidence based, objective and independent decisions pertaining to the necessary resources that should be provided to the DPO. Our expert team advise on appropriate technical and organisational measures that should be put in place, saving your school DPO time and giving the school confidence data protection obligations are being managed.
Maintaining a record of processing activity
The school is responsible for undertaking an assessment of processing activity, keeping a record of all processing operations, including maintaining a record of processing activity carried out by third party data processors. As systems change or new processes are introduced, data processing activities will also change. The school is responsible for ensuring that there has been an effective assessment of the change. The DPO is not responsible for doing this. If your school decides that the DPO will do this then the necessary resources need to provided.
In many cases a Data Protection Impact Assessment (DPIA) is required to evaluate the risks of the processing activity and inform proportionate technical and organisational measures to mitigate those risks. Your DPO is responsible for supporting the completion of the DPIA and advising on the appropriateness of the organisational and technical measures. As a school you need to:
- Determine when it is necessary to carry out a DPIA
- Seek advice from the DPO when carrying out a DPIA on:
- The methodology used to complete a DPIA
- Whether to complete in-house or seek external support
- The safeguards that should be applied to the processing activities to mitigate risks to the rights and interests of data subjects
- Whether the DPIA has been correctly carried out
- Whether the mitigating actions are in compliance with the GDPR
Within 9ine’s DPO Essentials service we have a structure and methodology for completing DPIAs. We also have a large database of processing activity that schools undertake given our work with schools on the GDPR. This provides us with the knowledge and expertise to support you to efficiently complete data mapping, evaluate when a DPIA is required and guide you on proportionate organisational and technical measures to mitigate risk.
9ine's DPO Essentials Service has been designed to support all organisations in complying with the GDPR regulation. Regardless to whether you appoint a DPO or not, the service is designed to enable you to:
- Have a robust and evidenced based compliance plan
- Manage Information Rights requests
- Audit your organisation for compliance with the regulation
- Use our knowledge and expertise to upskill your workforce
- Manage breaches in accordance with the regulation
More information on the service and a PDF copy of this blog, with references back to the regulation can be downloaded here:
© Nine (9ine) Consulting Ltd. All rights reserved 2018. This article must not be quoted from, referred to, used by or distributed to any other party without the prior consent of Nine (9ine) Consulting Ltd who accept no liability of whatsoever nature for any use by any other party. In using or referring to this document, Nine (9ine) Consulting Ltd shall not be liable, whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation or otherwise for: loss of profits; or loss of business or; depletion of goodwill or similar losses; or loss of anticipated savings; or loss of goods; or loss of contract; or loss of use; or loss or corruption of data or information; or any special, indirect, consequential or pure economic loss, costs, damages, charges or expenses.")