Recruiting a School Data Protection Officer

Their role and the qualities they need

In May 2018, the Data Protection Act will be replaced by the General Data Protection Regulation (GDPR). A key change is enhanced accountability for organisations that handle personal data. One of these accountabilities is the requirement of public authorities to appoint a Data Protection Officer (DPO), including all maintained schools and academies. For independent schools, appointing a DPO demonstrates that you take the data protection of your pupils seriously. Schools can share a data protection officer or engage with an on-demand service.

What does a DPO do?
The role of the DPO is to advise your school on the requirements of the regulation and to manage and monitor your journey towards compliance. It is the school’s responsibility to follow this guidance and, if you choose not to, the DPO is not responsible if anything goes wrong.

The DPO manages internal data protection activities, advises on data protection impact assessments, raises staff awareness and manages their training, and conducts internal audits. They are the first point of contact for the Information Commissioner’s Office and for pupils, parents and staff if there is a problem or they need guidance.

What does the regulation say about your duties when employing a DPO?
You must ensure that the DPO:

  • reports to the highest management level of your school, i.e. the governing body or the trust board;
  • operates independently and is not dismissed or penalised for performing their task. If you ask a current member of staff to be the DPO, their other professional duties must not create a conflict of interest; and
  • is provided with adequate resources so they can meet their GDPR obligations.

What qualities and experience make a good data protection officer?
When considering this, remember that the regulation is a law that your school must abide by. The individual you appoint must have the confidence to potentially change the culture of data handling in your school whilst being someone your staff, pupils and parents trust and find approachable.

  1. Knowledge of data protection laws
    Whilst the GDPR does not specify precise credentials, it does require that the DPO has professional experience and knowledge of data protection law. This should be proportionate to the type of processing your school carries out, taking into consideration the level of protection the personal data requires.
  2. Experience of leading projects at an operational level
    Moving your school to compliance requires strong project management and leadership experience.
  3. Leadership-level presence
    Your DPO must be able to engage with experienced school leaders, governors and groups such as inspectors who will not know the intricacies of the regulation or the DPO function.
  4. Education sector experience
    Sector experience will help your DPO to integrate into the school and understand how privacy should be implemented across it. School-based experience of networking and data architecture will help them to quickly understand systems and processes and guide your technical teams.
  5. Be approachable
    The data protection officer must be able to talk to your staff, pupils and parents in non-technical language that they understand. They must help data subjects understand their rights and be approachable to them if they need support.
  6. Be a self-starter
    DPOs must be self-starters, with the competence and skills to work independently and without guidance.

Supporting your DPO recruitment
As experienced education sector recruiters and with a network of data protection professionals, we now offer a DPO recruitment service. Whatever your DPO needs, we can support you to find the right person. Talk to us today about how we can help you. Call us on 0845 686 0690.

Further reading
Accountability and governance, an overview from the ICO: link
What skills should your DPO absolutely have? An IAPP blog: link
FAQS about the appointment of data protection officers, from DPO Network Europe: link

Terms of usePrivacy Policy