What is a DPO?
A DPO is a Data Protection Officer.
Do schools need one?
As schools are defined as ‘public bodies’ they will be required to have a named DPO. This is unlikely to need to be a full time role.
Who can be your DPO?
You may already have someone leading on data protection within your school, however the new regulations has some restrictions around who can or can’t be the DPO. Effectively anyone who handles sensitive data as part of their main role cannot also be the schools DPO. This makes sense because there is a conflict of interest as they would be checking their own practice around handling data. One solution to this issue is to use an external person or company to fill your DPO requirement. If you do the regulations recommend this is someone known and trusted by the school.
What does a DPO do?
In simple terms help protect your data. A DPO trains school staff on data protection good practice. They work with the data manager, network manager and business manager as well as other staff to ensure that the school practices are robust and good practice is followed.
In the event of a breach, they work with the school and the ICO to report it, close the breach, review what happened and help change processes to prevent a similar breach occurring again.
According to the ICO the DPO’s minimum tasks are defined in Article 39 of the GDPR:
- To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
- To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
- To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).