The appointment of a data protection officer is one of the more daunting requirements of the GDPR. The concept of the DPO has been around for a long time and a number of countries in the EU have had the requirement in place for a number of years, most notably, Sweden and Germany. The GDPR now makes this appointment mandatory across the EU regardless of the size of the organisation though there are other criteria that determine whether a DPO is required. Before we get in to the criteria, I'll cut to the chase: schools will almost certainly need a DPO.
With that said, this is what Article 37 of GDPR says about the appointment (Article text in blue inset boxes - bold added for emphasis).
The controller and the processor shall designate a data protection officer in any case where:
Both Schools and their suppliers are required to consider the appointment of a DPO if they meet the following set of criteria.
the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
This suggests that every state school, regardless of size, will require a DPO. A single DPO however can be shared across all state schools as they are members of the same body. Article 37 section 2
the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
The very nature and core activity of a school is to continually nurture, educate, monitor and track student progress. Whether this is taking attendance with traditional paper based registers and grade books or via school management software, the GDPR will require oversight of this type of activity by a DPO as it is by definition the regular and systematic monitoring of students.
What is ambiguous in this text is the reference to 'large scale' and what exactly that means. Various drafts of the GDPR have attempted to define this in terms of a threshold number. The final text however does away with specific numbers and instead provides examples. For example a DPO will not be required for a single doctor keeping records of her patients. A hospital however, will require a DPO.
core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to article 9 and personal data relating to criminal convictions and offences referred to in Article 10
Special categories simply refer to sensitive data such as medical records and religious beliefs; schools almost certainly maintain records of these. Read all about 'special categories' in our Unpacking Personal Data under the GDPR post.
What does this mean for small independent schools?
Will a school of 30 need a DPO? It's unclear but considering schools 1) process data systematically, 2) process sensitive data and 3) process children's data it would certainly be good practice to appoint a DPO and probably wise to prepare for the appointment of a DPO.
What does the DPO do?
It's important to understand the intention for the GDPR for this role. The DPO is not simply there to check boxes and carry out privacy related tasks in the background. The DPO has a duty to guide the company in terms of compliance being involved from the beginning with all projects that touch on personal data. They have a duty to report breaches to the national data protection authority, be accessible to the company's customers and staff in order to deal with privacy related issues. The DPO must also have unrestricted access to personal data the company processes as well as a direct reporting line to the highest level of management.
Notably, the DPO cannot be held personally responsible for non-compliance. This liability lies firmly with the school (controller) and/or processors (3rd party suppliers) like MySchool.
Appointment of a DPO
First off, the DPO must be adequately qualified. Here's what the GDPR says:
The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in. Article 39
A DPO can be employed as a full time member of staff or DPO duties can be given to an existing employee in addition to their day to day duties. It's important to understand that a staff member with a part time DPO role will still be afforded the full set of conditions and protections enjoyed by a full time DPO.
The school cannot allocate DPO duties to an existing member of staff where a conflict of interest arises. In short, this almost definitely rules out anyone in top management and any involved in the management of staff and student data. An IT manager, for example, has to maintain the school's data management infrastructure and security. A member of HR manages staff personal data and a school administrator is responsible for the upkeep of student records. The activities of these roles need to be monitored for compliance and in the case of breaches must be dealt with transparently.
If you are thinking about training for staff or just want to understand what is involved, take a look at the non-profit privacy organisation IAPP as they offer DPO training programmes.
Outsourcing the DPO role.
This will likely be the most common approach for many schools since Article 39 insists on expert knowledge of data protection law. These services will probably come from law and auditing firms. In practice it may be like hiring an accountant or auditor.