Malcolm McNinch, Head of Data Governance & Compliance and also Data Protection Officer (DPO) for iSYSTEMS and Cantium Business Solutions, explains the importance of the DPO in our schools

Schools hold a wide variety of personal data on children, parents and carers, often on a number of different digital platforms. Data Protection in educational institutions, therefore, remains crucially important.

The General Data Protection Regulation (GDPR) dictates that for most schools, a named DPO registered with the Information Commissioner’s Office (ICO) is a legal requirement.

Schools can appoint someone within the organisation to be their Data Protection Officer. However, the GDPR states that your chosen DPO must be independent and have no conflicts of interest. This means that the role cannot be appointed to someone who influences the day-to-day handling of school data or a key decision-maker, such as a school business manager or head teacher.

Data Protection Officers must be qualified for the job

It cannot be stressed enough that whoever you appoint as your Data Protection Officer must be qualified for the job. A DPO must be uniquely positioned to deliver comprehensive data protection support, for which an in-depth knowledge and experience of data protection legislation and its application is vital.

DPOs need a robust understanding of information security and must also have the ability to react and deal with complex problems quickly.

DPOs provide advice on using children’s personal data and parental consent

DPOs provide advice on using children’s personal data and parental consent, as well as providing support with third-party suppliers’ contracts to cover data protection, risk assessment guidance and data protection impact assessments (DPIAs).

Keeping the role in-house is possible, but it can prove tricky when having to challenge peers and change existing processes. Many schools have realised the importance of the role and have opted to partner with an external Data Protection Officer provider with certified GDPR practitioners and data privacy experts.

The additional pressure of the DPO role is often underestimated when internal staff members are appointed. With the time and focus needed to manage this responsibility properly, it can easily distract attention away from the core business of teaching and learning. An external DPO, however, can take a full 360 focus on the various aspects of the role.

Image: © SolStock | iStock

Reducing the chances of cybercrime

With a surge of cyber-attacks on the education sector, many schools have realised an experienced DPO can reduce the chances of their establishment falling victim to cybercrime.

Unfortunately, incidents are sometimes unavoidable. In appointing a Data Protection Officer, you arm yourself with someone who can support your school through the process should an incident or breach occur.

Likely to already have a collaborative relationship with regulatory authorities, they can handle liaisons with the ICO on your behalf when necessary and help to minimise the impact on your school.

If you don’t log it, you can’t fix it

In my experience, schools tend to work in silos – if there is a data-related incident with one member of staff, it often isn’t shared with the rest of the team. This is a mistake, as sharing and learning is the best form of prevention.

Put simply, ‘if you don’t log it – you can’t fix it’. It’s also how you go about making that all-important culture change towards a more data-secure and data-conscious workforce.

The best form of data protection is when it’s incorporated into everyday practice

The best form of data protection is when it’s incorporated into everyday practice. Whether you opt for an external partner or appoint someone within your organisation as your DPO, making sure everyone in your organisation knows the importance of data protection and data security will inspire and progress change and, crucially, help prevent data breaches.

 

This piece was written and provided by Malcolm McNinch, Head of Data Governance & Compliance and also Data Protection Officer (DPO) for iSYSTEMS and Cantium Business Solutions.

LEAVE A REPLY

Please enter your comment!
Please enter your name here