The majority of schools will need to appoint or reaffirm the appointment of a data protection officer (DPO) to comply with the General Data Protection Regulation (GDPR). In this blog - the fifth in our comprehensive GDPR series – we explore the role of the DPO and what you need to consider when making an appointment.
We also introduce you to our GDPR Certified Practitioner Course and GDPR Readiness Tool Kit.
The GDPR stipulates a number of obligations and requirements for DPOs, many of which will place an additional burden on people managing data protection in schools.
In some cases, the new requirements will prompt a reconsideration of who holds the position and the amount of time given to them to undertake the role.
Who can be a data protection officer?
There are a number of relevant articles within the GDPR that outline the “who, what and how” of the DPO. It’s important that you understand the pertinent articles:
- Article 37 - Designation of the data protection officer.
- Article 38 - Position of the data protection officer.
- Article 39 - Tasks of the data protection officer.
- Article 35 - Data protection impact assessment.
- Article 36 - Prior consultation.
You should also consider the guidance given by the Article 29 Working Party (the current EU independent advisory body on data protection and privacy). It has recently published an advisory publication on the role of DPOs and what organisations should do to comply with the law.
The advice includes avoidance of appointing a DPO where a conflict of interest could occur, as follows:
“As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) …” Available from: <http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083> [accessed 12 July 2017].
It is, therefore, likely that most of your school’s current senior staff could not be the DPO. The guidance suggests you should:
● Identify the positions that would be incompatible with the function of DPO.
● Draw up internal rules to this effect to avoid conflicts of interests.
● Include a more general explanation about conflicts of interests.
● Declare that your DPO has no conflict of interests about its function as a DPO, as a way of raising awareness of this requirement.
● Include safeguards in the internal rules of the organisation and to ensure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed to avoid a conflict of interests. In this context, it should also be borne in mind that conflicts of interests may take various forms depending on whether the DPO is recruited internally or externally.
The GDPR does allow for a single DPO to represent multiple schools within one organisation so long as they are “easily accessible from each establishment”. Consideration also needs to be given to the resources available to that role.
Given the volume of processing activities within schools, it would be prudent to consider creating a team to support the DPO.
Pathway to compliance
The approach we are taking at 9ine with the schools we are supporting on the pathway to compliance involves:
- Completing the data mapping exercise.
- Assessment of processing activities.
- Risk assessment of processing activities.
- Evaluating the level of resource required to maintain compliance based on the principle of proportionality.
By following this approach, schools can take an informed and risk-based approach to assessing the volume of work, the time required, support structure and resources the DPO will likely need to maintain compliance.
The published guidance gives details on the professional qualities required of the DPO role including the level of expertise and training. The GDPR mandates that the DPO should be provided with sufficient training to enable them to undertake the role.
The section 3.2 of the Article 29 Working Party Guidance includes:
“Continuous training. DPOs must be given the opportunity to stay up to date with regard to developments within the field of data protection. The aim should be to constantly increase the level of expertise of DPOs and they should be encouraged to participate in training courses on data protection and other forms of professional development, such as participation in privacy fora, workshops, etc.”
Furthermore, the guidance states:
“In the case of a public authority or body, the DPO should also have a sound knowledge of the administrative rules and procedures of the organisation.”
This infers the nominated DPO needs to understand the operational context of school management and administration.
Resources for the DPO
The guidance is specific about what resources your organisation should provide to the DPO. The following is an interpretation of what can be found in section 3.2 Necessary Resources:
- Governor level support for the DPO. There should be a nominated governor responsible for data protection, with regular reporting to the rest of the board.
- Specific time needs to be allocated for the DPO to undertake their duties and the amount of time measured as a percentage or as days a week. It would be good practice to create a job description for the DPO that details the responsibility and time allocation.
- The DPO needs a budget to fund training, support and additional expertise and the organisation should not unduly withhold funds.
- Everyone within the school needs to know who the DPO is and how to confidentially contact them.
- Support should be provided in reference to HR, legal, IT and cyber security.
- Continuous training.
- When working in a team, or across multiple schools, a responsibility assignment matrix (RACI) is required.
GDPR Certified Practitioner Course
We will be providing a GDPR Certified Practitioner Course accredited by APMG and specifically designed to enable schools to efficiently and effectively train their nominated DPOs.
Three courses are currently planned with locations in London and Sheffield. Places are limited. Sign up here to register your interest.
GDPR Readiness Tool Kit
Our comprehensive GDPR Readiness Tool Kit is currently accessible to our clients and will be available on a wider basis very soon. If you would like to know when you can gain access, please let us know.