The General Data Protection Regulation (GDPR) is intended to strengthen and unify data protection for all individuals within the EU – and addresses the export of personal data outside the union. Set to come into play in May 2018 many questions remain in relation to how it will affect our schools. STEPHEN MITCHELL, COO of the Mowbray Education Trust, unpicks one such: whether an SBM can fulfil the new statutory role of data protection officer (DPO)
So, the start of the new academic year is upon us – new pencil cases and crisp school uniforms are the order of the day…along with an impending sense of panic as SBMs the length of the country realise that the behemoth that is the GDPR is coming into force this academic year. This year… THIS YEAR!
The big question I’ve seen filling the Twittersphere over the last few weeks, though, is whether or not an SBM can fulfil the new statutory role of data protection officer (DPO). This seems to be causing much angst, with no clear views emerging. I’ve spent a significant amount of time getting my head around what GDPR means for my trust and we now have a clear plan in place to ensure we’re compliant.
And, yes, I believe that SBMs can fulfil the role of DPO.
Breaking down the big bad GDPR
Without getting too technical the GDPR states that schools are obliged to appoint a DPO because we fulfil the categorisation of a ‘public authority’. It goes on to say that:
- The DPO should be an expert in their field and have specific knowledge of their sector. The employer must help them maintain this knowledge – e.g. by making provision for specific training.
- A DPO can be an employee or a hired contractor.
- DPOs must be able to work ‘independently of instruction’ and not dismissed or penalised simply for doing their job. They should report to the highest level of management.
- The DPO’s contact details must be published and registered with the supervisory authority. They will be the point of contact for compliance matters.
Devising the solution
The first is easy to solve; Google* will be your friend in directing you to suitable knowledge about what GDPR entails and the courses available (*other search engines are also available!)
The second one is a bit more pesky. The DPO cannot be judge and jury, player and referee, or make decisions over data processing and be the one that reports failures. If being a DPO would put you in the position of monitoring yourself, then you can’t be the DPO. No ifs, no buts. Similarly, it can’t be the headteacher, as they’re ultimately responsible.
If, however, others can make the judgement about whether practices are appropriate and how work is carried out, then I believe you can be the designated DPO. Case law in Germany has already shown fines on companies which have not been able to demonstrate suitable independence from the DPO to the data processing.
Size makes a difference
In smaller schools it will be very difficult to have the independence required and schools will have to come up with some creative ways to make the legislation work. One solution is to club together and peer swap the role between local schools, or buy it in from a larger local school that has its own DPO. However, you should enter into this arrangement carefully, and in writing, so that all parties know what they’re responsible for, as well as what their obligations are.
Many firms will – between now and the May 2018 start date – offer outsourced DPO services I’m sure. These may be cost effective but, to be really effective, they will have to have very open lines of communication with the school to be able to identify any breaches and I fear the onus will still fall on the SBM/school to make them aware of any.
In short, the decision on who can be a DPO is one for heads/boards to make – fortunately. Ask yourself if you would feel comfortable answering a question in court as to whether you’re suitably independent. My Mum always taught me to trust my gut instinct – and that advice has stood me in good stead.