Department for Education data protection compliance toolkit: Data Protection Officers

In this our fifth briefing on the “BETA” version of the DfE GDPR Toolkit, we take a look at how you can support the DPO in performing a vitally important role within your organisation. As you will see, it is not just about accountability.

The requirement to appoint a DPO may not have been a welcome one, given that it represents a further stretch on your already tight resourcing. However, the EU, in developing its strategy for the renewed and strengthened European wide data protection laws was determined to create a regime under which there is an accountable officer. This approach replicates many other situations where a regulatory regime applies eg in financial services and local government (with its Monitoring Officer).

In appointing a DPO, you have probably looked at options and chosen from one of the following three:

• to appoint an existing staff member who is given the ability to report to the Board or Governing Body;
• to share the role with other schools – so it may be a member of your staff or of another school;
• to outsource the role – possibly on a commercial paid for basis.

The DfE Toolkit touches on the possibility of a volunteer performing the role but also casts doubt on that approach given the significance of the responsibilities involved.

All of these options (including the volunteer approach) are recognised under GDPR as appropriate. The Regulation is not interested in how you set about the appointment but expects the role to be diligently performed. For most people performing the role there will be a learning curve of some significance.

If you have yet to develop a formal role description defining the responsibilities of the DPO you should take a look at Article 39 of GDPR. This sets out the key tasks which are:

• to inform personnel within the organisation as the legal responsibilities associated with data protection;
• to monitor compliance both with the law and the internal policies of the organisation;
• to provide advice when impact assessments are conducted;
• to co-operate with the Information Commissioner’s Office; and
• to act as the contact point for the Information Commissioner’s Office.

In a further sub-article the DPO is stated as having a duty to have due regard to risk associated with processing operations.

Within the regulations (at Article 37(5)) the requirements when selecting the DPO are set out:

The DPO “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39. It is suggested that at national level the Information Regulator (in our case ICO) should promote “adequate and regular training” for DPOs. It will be interesting to see whether that idea is implemented.

The DfE Toolkit devotes a full section to the role played by the DPO.

There are important objects set. The DPO:

• must understand his or her responsibilities;
• should be “highly knowledgeable” about data protection, GDPR, the school’s operations, technology and security;
• well-placed to promote a data protection culture.

An important issue to address is – who does the Data Protection Officer report to within the organisation on a day-to-day basis? The toolkit in its Beta version has potentially caused some confusion when it refers to the DPO enjoying a somewhat “distant” relationship from the management of the school or academy trust. This might suggest that the reporting line is direct to the Board of Directors.

In our submission commenting upon this version of the toolkit, we’ve suggested to the DfE that this point be revisited.

Individuals appointed to the role should be given appropriate time to perform the role. In many cases a support network will be important. The DPO for a multi academy trust (“MAT”) should have data protection leads at individual school level.

The DPO can then oversee a programme of induction and training at staff level.

One of the greatest concerns that a DPO will have is the duty to notify the Information Commissioner’s Office of data protection breaches within 72 hours.

Few staff will relish the very important duty they now have to speak to the DPO about incidents.

The answer will undoubtedly be the development within the organisation of a no blame culture, whilst making sure that employees follow sound policies and procedures that contribute to managing the risk and mitigating the consequences of any data protection breaches that arise. Disciplinary procedures when policies and internal rules are not followed must always be a potential consequence but breaches of data protection laws can occur in many truly unforeseen circumstances.

If you have any questions about your response to GDPR or any of the issues raised in our series of briefings, please contact Frank Suttie.