What to consider when appointing a data protection officer

The creation of the role of DPO has led to queries from schools: who should take on the role and what do they need to do? Here's our guide
GDPR article image
The creation of the role of DPO has led to queries from schools: who should take on the role and what do they need to do? Here's our guide

Data protection officer (DPO) is a new role created under the General Data Protection Regulation (GDPR), and it is one that has caused a lot of confusion. We will try to make things clearer in this article. 

Firstly, all schools, except independent schools, will need to have a designated DPO. (Independent schools are not public bodies and do not legally require a DPO, but it may be worth having one, as they will still need to comply with GDPR.) 

The DPO is in charge of the school's compliance with the new data-protection rules. In the event of a breach, they will be the point of contact within the school and the one to notify the Information Commissioner's Office (ICO).

What does a DPO need?

The DPO will report to the highest level of the organisation, in this case, the board of governors. 

They must be given adequate resources to perform their duties, check the compliance of the system, and have no conflict of interest.

These requirements of the job point towards the role being taken up by someone in a position of seniority within the school. The person who takes on the responsibility will need extra training to develop their knowledge of data protection to ensure their role is compliant with GDPR.

“They do have to be an expert in data protection,” says Helena Wootton, data protection expert and partner at law firm Browne Jacobson.

“It needs to be someone who is prepared, willing and able to take on the learning that’s required, so it’s about the individual who has the capacity to do that.”

Dai Durbridge, education specialist and partner at Browne Jacobson, says the DPO is just like a designated safeguarding lead role.

“I equate it in terms of seniority and in time it will be similar to the designated safeguarding lead role in a school," he explains.

Durbrdge believes that in a year’s time, “the amount of work undertaken by a DPO is going to be, in the average-sized multi-academy trust (MAT), probably around two-to-three hours a week.”

To learn more about GDPR, see our other guides:

What is a conflict of interest?

One of the areas that has caused the most confusion around choosing a DPO is the conflict-of-interest clause. The head of IT would, on the surface, appear to be someone who could be a suitable DPO, as they are a data-protection expert and report to the highest level of the school. However, their conflict of interest would rule them out of the role.

Wootton explains the reasons why: "It can’t be the IT director because they set the strategy for an IT system and that would conflict directly with the DPO, who has the responsibility of checking the compliance of the IT system against GDPR."

So that raises the question of who exactly can be a DPO?

Choosing a DPO

There are a number of other strategies that schools are undertaking to fill the role, including employing an outside contractor, sharing a DPO across a number of schools, swapping the DPO role with a neighbouring school or giving the job to a school business manager.

Karen Crowston, vice chair of the board of trustees at Ninestiles Academy Trust in Birmingham and Solihull, explains why her trust has taken the decision to buy in the DPO service.

“We are currently trying to understand what this role will entail and who can, or cannot, take on the role due to a potential conflict of interest," she explains.

“You get different answers from different people about this, and in view of the timescales involved we have taken the decision to buy in a DPO as a service starting in May, and we plan to review it next year. This seemed to be a cost-effective way of resourcing the role rather than appoint a full-time DPO.”

However, as Russell Holland, barrister and education specialist at Michelmores, explains, buying in the role will not be a suitable option for all schools: "If you think about small rural schools, the idea that they can afford their own DPO is just ridiculous; it’s not going to happen.

"It may be a governor with appropriate support might be able to take on that role.”

There are drawbacks to sharing a DPO, or the role being assigned to a governor, one of which is that they would not be based in the school. For example, one question is how quickly could they be contacted in the event of a breach?

If the role is outsourced, or is held by someone not from the school, it may lead to breaches not being disclosed, Durbridge believes.

"If I was a member of staff in a school and I was worried I might have caused a data breach, and I’ve got to get in touch with the DPO, I think I would prefer it to be someone I knew, had worked with and trusted rather than somebody at an external organisation.

"It’s more formal, it’s more scary, it perhaps is a bit of a barrier to actually making that disclosure of a breach."

One position that has been suggested for the role of DPO is the school business manager. However, whether your school business manager could take on the DPO job would depend on what their role currently entails. 

The role varies from school to school, and what they do on a day-to-day basis will be radically different if they are a school business manager in a small rural school when compared with one in a five-school MAT. A conflict of interest would also arise if they are involved in the strategy or maintenance of the IT system, but if their only IT contact is just inputing data, that should not constitute a conflict of interest.

Find out more about responding to a data breach