Choosing a Data Protection Officer (DPO) for your school
When the GDPR (General Data Protection Regulation) comes into effect on 25 May 2018, every state funded and private school, as well as nurseries and child care organisations, must name their data protection officer (DPO). This person may be a member of staff or someone from an outside organisation – there are no formal qualifications required for the role however the DPO must meet certain criteria.
GDPR mandates the appointment of a DPO for all public bodies including all state-run schools. Private schools and nurseries must also appoint a DPO because their core activities involve ‘regular and systematic monitoring of data subjects on a large scale’.
DPO responsibilities and requirements
The DPO’s responsibilities include, but are not limited to:
- Educating the school and its staff on important compliance requirements
- Training staff involved in data processing
- Conducting audits to ensure compliance and address potential issues proactively
- Serving as the point of contact between the school and GDPR Supervisory Authorities
- Monitoring performance and providing advice on the impact of data protection efforts
- Maintaining comprehensive records of all data processing activities
- Interconnecting with data subjects or parents to inform them about: how their data is being used; their rights to have their, or their child’s personal data erased; the measures in place to protect their, or their child’s, personal information
Qualifications for DPOs
The GDPR does not specify the relevant qualifications that DPOs need, but it does require a DPO to have “expert knowledge of data protection law and practices.”
DPOs may be a controller or processor’s staff member and related organisations may use the same individual to oversee data protection collectively, provided that it is possible for all data protection activities to be managed effectively. In this scenario, the DPO must be easily accessible by anyone from any of the related organisations whenever needed.
It is required that the DPO’s information is released publicly and provided to all regulatory oversight agencies.
Finding a DPO
Schools need to have their DPOs in place before the Regulation comes into effect on 25 May 2018.
The DPO needs to have expertise in data protection law and practices, as well as a complete understanding of your IT infrastructure, technology, and technical and organisational structure. You may designate an existing employee as your DPO, or you may bring in an external DPO.
Ideally, a DPO should have excellent management skills and the ability to work easily with internal staff at all levels as well as outside authorities. The best DPO will do everything possible to ensure internal compliance and yet alert the authorities of non-compliance if such an event occurs. They will have a clear understanding that the school may be subjected to hefty fines for non-compliance.
So, who will be your DPO? We have put together a comprehensive list of roles within a school and the pros and cons of the person in the role being appointed as the schools DPO – download it now.