Frequently Asked Questions
Some of your GDPR questions answered...
What, if any, training or qualifications does a DPO have to have?
Neither the GDPR nor the ICO have specified what training or qualifications DPOs need. However the GDPR states in article 37 that ‘The data protection officer shall be designated on the basis of professional qualities, and in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in article 39’. So, the individual clearly needs to have already undertaken or will in the near future undertake, an in-depth study in this law. Previous qualifications in the existing Data Protection Act will be extremely beneficial, however these alone won’t make you an expert in the new law, unless you’ve carried out additional significant personal study in this area, or as a minimum attended training in this area.
DPOs are required to carry out continuous personal study, which schools will be legally required to support. Article 38 (2) says ‘the controller’ shall support the data protection officer…by providing resources necessary to carry out [their] tasks…and to maintain his or her expert knowledge’. So this means they will need to attend training, Data Protection briefings, forums etc to stay up to date.
Which helpfully we will be providing!
Who can take on the role of DPO?
The DfE have recently said in a YouTube video that they think the DPO shouldn’t be the Head or IT Manager, so any other role is likely to be fine. The proviso with any role is that they have the right personal qualities, skills, experience and knowledge (which for most will have to be developed rapidly over the coming year), no conflict of interest, the authority to provide challenge to SLT and importantly the time to carry out the role. As a minimum, the DPO will be required to:
- Raise awareness
- Train staff
- Carry out audits
- Inform and advise the school on applying the law›Monitor compliance with GDPR and school policies – and writing policies /procedures
- Advise on the use of DP Impact Assessments
- Contact point for the ICO and data subjects
How much time and work is involved?
This is really hard to quantify because it depends on the size of the school, number of staff, previous knowledge and experience of the new DPO. But as an estimate, they could spend 2-3 days per week.
This could be taken up with:
- Reading and studying the law and the numerous guidance and interpretation continually coming out about different areas
- Delivering staff training
- Updating policies
- Providing advice
- Attending meetings
- Writing reports
- Supporting data breach investigations
- Dealing with complaints etc…..
What type of records do schools now need to keep with regards to their GDPR activities?
There are a number of things they can do to demonstrate their compliance/journey to compliance:
- Carry out an audit to check their readiness for the GDPR
- Carry out a data mapping audit to identify and record the types of personal data they process; why they are processing it; what their lawful basis is; who they share it with; how long they keep it for; where is it stored
- Update their policies, procedures, consent forms, privacy notices, contracts
- Deliver awareness training to staff and more in-depth training to those who handle particularly sensitive information
- Create an action plan on how they are going to implement the changes and assign responsibility and timeframes to particular individuals
Do schools need to record every discussion they have about GDPR?
Schools aren’t required to record every conversation they have about GDPR. It’s more about having documentation that shows how they are meeting the requirements of the GDPR.
The most important starting point is for the SLT to create and record an action plan; assign responsibilities and timeframes and decide who will be their DPO.
The audits or self-assessments, are a really great place to start as they will identify any short comings
What training is available?
If you appoint your own DPO, rather than buy into our Babcock DPO service, the following training and briefings are available from us:
- Termly Data Protection support briefings for your DPO, where schools come together with our Data Protection Officer/Consultant to discuss problems and share learning (part of our Level 2: Core Support Package)
- Handling Personal Data (half-day briefing session)
- Freedom of Information (half-day briefing session)
- Requests and Complaints (half-day briefing session)
- Data Breaches (half-day briefing session)
Contact the Data, Assessment and GDPR Team
GDPR Helpline: 01392 287317Email the team