Now that the GDPR has settled in, our data protection experts have continued to engage schools around the country with training and audits.
One major issue that we have found facing a number of schools is the appointment of a Data Protection Officer who meets all of the legal requirements.
Essentially, an organisation's DPO must not have any conflict of interest as a data controller. This is challenging for schools and trusts of all sizes, but it can become a serious conundrum for smaller schools who may only have a few support staff. Guidance from the European Data Protection Board states as a rule of thumb that senior management roles including the chief executive, chief operating officer, chief financial officer, chief medical officer, head of marketing department, head of Human Resources or head of IT departments are all conflicted out. In schools, this would also include heads, deputy heads, department heads and your IT officer.
That leaves teachers – who are likely to already be burdened with a high workload, and admin staff who may not be senior enough to take on the role. If you are lucky enough to have a staff member who is interested in fulfilling the DPO role who isn’t conflicted out while still having enough seniority to be heard at all levels, grab them for the role with both hands!
Worryingly, some schools who are struggling to find a person who meets the criteria have opted not to appoint a DPO and instead are choosing to deal with subject access requests and data breaches on an ad hoc basis. This is a dicey proposition under the GDPR because having a named DPO on your privacy notice is the easiest thing for somebody to check if they wanted to know about your GDPR compliance. All it takes is one parent who thinks they know a bit about data protection to look on your website and you could be getting a surprise call from the ICO.
Even if you’re still treading water on organising your data protection compliance (and get in touch with us if you are), having a named DPO should be your highest priority even if plan to change them later.
So who does that leave?
If there are no teachers with enough time on their hands and everybody else is conflicted out, then solving the DPO riddle doesn’t have a simple answer, but here are four suggestions you could consider:
1. Conduct a DPO swap with another local school
One way to get around the conflict of interest stipulation is to engage in a DPO exchange with another school where you agree to be a DPO for each other. If you have a good relationship with a local school and suitable staff members, it is definitely worth considering. The main challenge to be wary of is working out what you will do if one of the schools suffers a major breach, because the other school might suddenly find their staff member busy for quite some time!
2. Engage with a Virtual DPO service
A VDPO is a comparatively cheap (certainly much cheaper than hiring a new staff member) option where a DPO is provided as a service. A VDPO service will give you a named DPO for your website and privacy documents and will generally also offer compliance guidance and a contact you can engage if you have any questions.
Groupcall offer a competitive VDPO service through Fusion Forensics: click here to find out more!
3. Consider hiring a DPO at a trust level
While this is only realistic for bigger multi-academy trusts, if you can spare the budget you should hire a DPO. If you already have somebody in a compliance officer or legal secretary role, they are more than likely your best choice.
4. Consult your Local Authority
Local authorities have taken quite a range of views on their role in school data protection. Some have decided that the job of a data protection officer is nothing to do with them, while others (such as Warwickshire) have a DPO as a service offering. If you are unsure, it is definitely worth talking to your local authority to see where they stand in this regard.
Finally...
Each school and trust will have to come up with a DPO solution that works for them, because unfortunately ‘doing nothing’ really isn’t an option. Sadly, there will be no obvious or perfect answer for a number of schools, so you may have to make a sacrifice somewhere. However, it is a challenge every school must meet as the ICO has now conducted over 20 advisory visits on schools since GDPR came into force, as well as completing a full audit on Enquire Learning Trust - and these numbers (and the potential for public breaches) will only increase.
Failing to meet the requirements of an independent data protection officer is one of the quickest (and most visible ways) for a school to not be GDPR compliant. Groupcall offer a number of GDPR compliance services, from ongoing training to Virtual DPOs and GDPR Governance.