We provide the complete commercial debt recovery service; from outsourced early arrears collections through to expert litigation, all handled in-house by a multi-award-winning law firm.

 

Visit our debt recovery website

It’s nearly two years now since GDPR came into force so this is a good time to reflect on some of the lessons we have learnt advising schools and academies on compliance during that time.

This is the first in a series of reflections and we have started with data protection officers as 2018 marked the point where this new role came onto the education radar, presenting a novel challenge for many.

Most of you will have been fortunate enough to be have been able to appoint your DPO at or shortly after GDPR came into force. However, we have seen over the last two years that finding the right person to fill the role can be difficult and that many of the schools and academies that we work with have been forced (through resignations) or have chosen (as part of regular data protection reviews) to look again at the appointment they made.

It is no surprise that filling the role of DPO can be difficult given that they must:

  1. have experience and expert knowledge of data protection law;
  2. be able to:
    • inform and advise you about your obligations to comply with the GDPR and other data protection laws;
    • monitor compliance with data protection laws, and with your data protection polices, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits;
    • advise on, and to monitor, data protection impact assessments;
    • cooperate with the supervisory authority;
    • be the first point of contact for supervisory authorities and for individuals whose data is processed; and
  1. ensure that any other role they have does not conflict with their responsibilities as DPO.

Whilst the expertise requirements are difficult enough to meet, this last point can be the hardest to comply with. In effect, it means that the DPO cannot hold a position that leads him or her to decide how you handle personal data. Because of this, we do not feel that a governor, headteacher or director of an academy or MAT can be the DPO as there is a real risk of a conflict of interest between their work in one role (where they are a decision-maker)  and the other (which requires strict independence). In light of this, we have found that a lot of organisations are looking again at their appointments and choosing external advisors as their DPO.

SHARE

Share

Scroll to next section

Scroll back to the top