Frequently Asked Questions
Some of your GDPR questions answered...
What, if any, training or qualifications does a Data Protection Officer (DPO) have to have?
Appointing a Data Protection Officer (DPO) in a school is a requirement of the GDPR as schools and academies are defined as public authorities. GDPR states that public authorities processing data have a duty to appoint a Data Protection Officer (DPO).
Neither the GDPR nor the ICO have specified what training or qualifications Data Protection Officers (DPOs) need. However the GDPR states in Article 37 that ‘The data protection officer shall be designated on the basis of professional qualities, and in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39’. So, the individual clearly needs to have already undertaken or will in the near future undertake, an in-depth study in this law. Previous qualifications in the existing Data Protection Act will be extremely beneficial, however these alone won’t make you an expert in the new law, unless you’ve carried out additional significant personal study in this area, or as a minimum attended training in this area.
DPOs are required to carry out continuous personal study, which schools will be legally required to support. Article 38 (2) says ‘the controller’ shall support the data protection officer…by providing resources necessary to carry out [their] tasks…and to maintain his or her expert knowledge’. So this means they will need to attend training, Data Protection briefings, forums etc to stay up to date.
Which helpfully we will be providing!
An individual school can appoint a DPO, a group of schools can share a single DPO as long as they are "easily accessible from each establishment" and Article 9 also makes it clear that a DPO can be employed under a service contract.
Who can take on the role of DPO?
When making the decision as to who your school DPO should be, it's crucial that you ensure they are sufficiently removed from those making technological or processing decisions, for example, the Headteacher or IT Manager. Any other role is likely to be fine however the proviso with any role is that they have the right personal qualities, skills, experience and knowledge, no conflict of interest, the authority to provide challenge to SLT and importantly the time to carry out the role. As a minimum, the DPO will be required to:
- Raise awareness
- Train staff - data protection training should be provided annually or no later than every 2 years in schools and is a legal requirement
- Carry out audits
- Inform and advise the school on applying the law
- Monitor compliance with GDPR and school policies – and writing policies /procedures
- Advise on the use of Data Protection Impact Assessments
- Main contact point for the ICO and data subjects
How much time and work is involved?
This is really hard to quantify because it depends on the size of the school, number of staff, previous knowledge and experience of the new DPO. But as an estimate, they could spend 2-3 days per week.
This could be taken up with:
- Reading and studying the law and the numerous guidance and interpretation continually coming out about different areas
- Delivering staff training
- Updating policies
- Providing advice
- Attending meetings
- Writing reports
- Supporting data breach investigations
- Dealing with complaints etc…..
How can schools demonstrate to the ICO that they take GDPR and Data Protection seriously?
There are a number of things schools can do to demonstrate this and these are a few examples:
- Carry out an annual audit to check their GDPR compliance and develop an action plan to address any issues or areas of concern raised
- Carry out a data mapping audit to assist your school in setting up a Record of Processing Activities document
- Update their policies, procedures, consent forms, privacy notices, contracts
- Deliver awareness training to staff either annually or at least every 2 years and more in-depth training to those who handle particularly sensitive information
- Create a school retention policy and publish this on the school website
What training is available?
If your school appoints your own DPO rather than buy into our Babcock DPO service, there are several training options available:
- Our new GDPR Whole School Staff e-learning training has been written by our school DPO. Not only does it provide e-learning training but gives schools access to the myAko platform to allocate and monitor awareness training to staff. It's also available for use on laptops, tablets and as a mobile phone app! This e-learning training is also available by purchasing our DPO Toolkit Plus package and is also available to purchase separately on e-store.
- DPO CPD Bundle which includes a place at our annual GDPR masterclass plus recorded Webex powerpoint presentations covering GDPR whole staff awareness, running compliance audits, managing personal data breaches and managing subject access requests.
- DPO Termly Networking Forums are a fantastic opportunity for school DPO's to get together to discuss GDPR issues on a termly basis.
- Our Data Breach support package includes a recorded Webex powerpoint presentation, reporting templates and access to our qualified DPO for advice and support.
Prices and details are available on our main Data Protection Services page by clicking on 'School Based DPOs' or email
Contact the GDPR & Data Protection team
GDPR Helpline: 01392 287253Email the team