Malcolm McNinch, Head of Data Governance & Compliance, and also Data Protection Officer (DPO) for iSYSTEMS and Cantium Business Solutions, explains the importance of the DPO in our schools…

Schools hold a wide variety of personal data on children, parents and carers, often on a number of different digital platforms. Data Protection in educational institutions therefore remains crucially important.

The General Data Protection Regulation (GDPR) dictates that for most schools, a named DPO registered with the Information Commissioner’s Office (ICO) is a legal requirement.

Comprehensive data protection support

Schools can appoint someone within the organisation to be their DPO, however the GDPR states that your chosen DPO must be independent and have no conflicts of interest. This means that the role cannot be appointed to someone who influences the day-to-day handling of school data or a key decision-maker, such as a school business manager or head teacher.

DPOs provide advice on the use of children’s personal data and parental consents, as well as providing support with third-party suppliers’ contracts to cover data protection, risk assessment guidance and data protection impact assessments (DPIAs).

It cannot be stressed enough that whoever you appoint as your DPO, they need to be qualified for the job. A DPO must be uniquely positioned to deliver comprehensive data protection support, for which, an in-depth knowledge and experience of data protection legislation and its application is vital. DPOs need a robust understanding of information security and must also have the ability to react and deal with complex problems quickly.

A 360 focus on data protection

Keeping the role in-house is possible, but can prove tricky when having to challenge peers, and change existing processes. Many schools have realised the importance of the role and have opted to partner with an external DPO provider, with certified GDPR practitioners and data privacy experts.

The additional pressure of the DPO role is often underestimated when internal staff members are appointed. With the time and focus needed to properly manage this responsibility, it can easily distract attention away from the core business of teaching and learning. An external DPO however, can take a full 360 focus on the various aspects of the role.

Expert defence against cybercrime

With a surge of cyber-attacks on the education sector, many schools have realised an experienced DPO can reduce the chances of their establishment falling victim to cybercrime.

Unfortunately, incidents are sometimes unavoidable. In appointing a DPO, you arm yourself with someone who can support your school through the process, should an incident or breach occur. Likely to already have a collaborative relationship with regulatory authorities, they can handle liaisons with the ICO on your behalf when necessary and help to minimise the impact on your school.

The all-important culture change

In my experience, schools tend to work in silos – if there is a data-related incident with one member of staff, it often isn’t shared with the rest of the team. This is a mistake, as sharing and learning is the best form of prevention. Put simply, ‘if you don’t log it – you can’t fix it’. It’s also how you go about making that all-important culture change towards a more data secure and data conscious workforce.

The best form of data protection is when it’s incorporated into everyday practice. Whether you opt for an external partner, or appoint someone within your organisation as your DPO, making sure everyone in your organisation knows the importance of data protection and data security will inspire and progress change, and crucially, help prevent data breaches.

Image by Gerd Altmann from Pixabay