GDPR in Schools – Still a “Work in Progress”?
With the recent announcement by the ICO that they intend to fine BA around £183m for a data breach, the appetite of Academies and State schools to review how they approach GDPR and who they appoint as a DPO is starting to move up their agenda. I'm also noticing more Independent Schools consider whether they need to 'professionalise' the DPO role.
The data schools hold is hugely sensitive. and, rightly, there is a requirement for all state maintained Schools (Including SATs and MATs) to appoint a Data Protection Officer (DPO).
Before you read on, think about who yours is for a moment......
I would estimate up to 2/3rds of school DPOs don't meet all the basic requirements, e.g. that they MUST....
be independent. i.e. not at risk of a conflict of interest. That potentially rules out; The Head, The Business Manager, Governors or Trustees, IT Managers or, in a MAT, the CEO / FD / COO
have 'sufficient expertise' (what sufficient expertise means in reality is difficult to assess but, for schools, the level and sensitivity of data it collects and holds would suggest that the 'expertise' the DPO needs should be pretty thorough).
So, what should your 'expert' DPO be doing?
Keeping the school(s) up to date with their data obligations now and in the future
Monitoring compliance with the law as well as school policies
Cooperating with the Information Commissioner's Office (ICO)
Managing Subject Access Requests (SARs) within the required timescales
Advising on and reporting data breaches to the ICO within 72 hours
Keeping up to date with GDPR developments and training staff accordingly
Whilst this list is not exhaustive, it is designed to start you thinking about whether the "Work in progress" in getting a compliant DPO needs moving up the priority list..
In my view, some responsibilities are worth outsourcing to ensure compliance and minimise risk and repetitional damage - arguably the role of the DPO is one of them.
To put the 'need' for a quality DPO in perspective, my Education Specialist DPO service provider act as DPO for over 1200 schools and they currently handle over 100 subject access requests per week and over a dozen reportable breaches PER DAY!
If you'd like to talk to them about how they can support your Multi Academy Trust, Single Trust, State Maintained or Indepdnent School, let me know by requesting information HERE