Not an easy question to answer, but I’ll try! If you are a part of a Multi Academy Trust or a Scottish school, then the answer is just what you want to hear – you don’t need a data protection officer (DPO). For Trusts and schools in Scotland, the local authority (LA) is the data controller - not the school. It is the LA’s responsibility to appoint a DPO – so that’s not your problem!
The news isn’t so good for English and Welsh Local Authority-controlled schools. Here, you are the data controller, and as such you are required to make the appointment of a DPO yourself. This is, however, if the current legislation remains!
Why do I say this?
Well, at the end of October 2017 there were no less than three occasions when amendments were added by a House of Lords committee working on the Data Protection Bill, then removed, added again, and once again removed from the Bill. These changes altered the need for schools, colleges and universities requirements to appoint a DPO.
Here’s one of the amendments - pay particular attention to Point 10.
I won’t bore you with the other amendments, but as I write this blog, schools in England and Wales will require a DPO. The new law for data protection will not be passed until 2018. Who can guess how it will read? Of one thing I am sure; it will be different than the current EU General Data Protection Regulation (GDPR) laws.
Let’s assume the DPO role remains for schools. A DPO’s role is to marshal and to oversee that personal data is lawfully processed and to ensure the rights of the individuals are met. Schools need to get their house in order before a DPO can do their job.
The existing GDPR creates some new rights for individuals, and strengthens some of the existing rights under the old Data Protection Act. There are resources at www.groupcall.com/resources to help you along each part of your GDPR journey.
Ask me the original question again: When should I appoint a DPO?
My personal view is this: start working now on getting your data protection processes in order. I would wait until February or March 2018 before considering appointing a DPO. By then the new law should be clear, and you will be so much better placed to know your requirements for a DPO.
First and foremost though, don’t panic. There are many free resources to help you along each part of your GDPR journey at www.groupcall.com/resources.
Want to receive cutting-edge insights from leading educators each week? Sign up to our Community Update and be part of the action!