At a principle level the only change between the 1998 Data Protection Act and the GDPR is that under GDPR the school must demonstrate compliance.
A key element in demonstrating compliance is clear responsibility for data protection. The GDPR defines the role and activities of the Data Protection Officer. While certain schools in the UK may have an option of not appointing a DPO, given that you are processing special categories of children’s data our advice is that you should appoint a DPO and that if you don’t do so your ability to demonstrate compliance will be undermined. If you are deemed to be not compliant with GDPR not having a DPO may result in increased sanctions and fines.
The role of the DPO is to bring a culture of privacy, monitor how compliant the school is and to challenge plans or activities where there is a privacy risk. This person is not personally at risk by taking on the DPO role, accountability for compliance remains with the Board of the School.
The DPO must understand the school, data protection and the GDPR and be independent of decisions that impact how the school processes data. It’s a hard role to fill. Options that you can consider include:
– Appointing a current staff member who is independent, possibly the deputy/assistant head or the governor could do it, but you need to ensure they are trained and allowed the time to complete the role
– Joining with other schools and appointing a DPO to work across the group, this may make sense for a multi-academy trust also.
– Having reciprocal arrangements where you act as DPO for a school and that another school acts as a DPO for you; or
– Outsourcing the DPO role to a third party.
We estimate that the role of the DPO in a school that does not have any unusual level of breaches will require about 20-50 days effort over a year. The effort for your school will depend on the complexity of the school, the amount of change going on and the number of requests from individuals to invoke a right such as a subject access request.
Our SchoolsGDPR pack includes a DPO job description and some questions will help you decide on the best approach for your school.