We’ve had lots more thoughts on the DPO role over the last couple of days – we never thought we could become so interested in something so obscure!
The two documents from ICO and LGfL were indeed helpful and we think we have found a way forward that works for Chase Bridge.
To summarise the DPO’s minimum tasks are:
- To inform and advise the organisationand its employees about their obligations to comply with the GDPR and other data protection laws.
- To monitor compliancewith the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
- To be the first point of contactfor supervisory authorities and for individuals whose data is processed (employees, customers etc).
You must ensure that:
- The DPO reports to the highest management levelof your organisation – i.e. board level.
- The DPO operates independentlyand is not dismissed or penalised for performing their task.
- Adequate resources are provided to enable DPOs to meet their GDPR obligations.
In the Chase Bridge context we have decided we will be tagging these operational responsibilities to the SBM role and our governor will be involved in monitoring compliance with GDPR and reporting on this to the GB. But … we began to see that there could be a conflict of interest (the LGfL document is particularly helpful with this). But we think the conflict of interest can be avoided.
So, assuming the officially named DPO is the SBM. The issue with the conflict centres round the DPO also being in the position to decide ‘what personal data to collect, why and how as part of their core role.’ This element can be part of the DPO link governor’s remit as part of the policy in the school. This wouldn’t be a hands-on operational matter that the governor or governing body would be involved with – they are making the decision about the scope of what data to collect and the reasoning why. Governors also have the statutory powers already to enforce this. The practical ‘how this is done’ could be decided upon by the headteacher with the SBM/school employee to get on with the operational role of making it all happen. The crucial thing is that the employee is not making the decision about what data and how and why that data is collected.
We think this is all about carefully outlining what is in the employee’s JD and the GB (and the named DPO/GDPR linked governor) being clear about their responsibilities which would be defined within the school’s policy. Given the school context with implementing GDPR; trying to keep things as simple as possible; manageable; building on existing school structures and eliminating additional costs of possibly employing someone to do the job (which we are sure many large organisations might do); our view is that this is a reasonable, manageable and proportionate way forward for schools and ideally what we would like to pursue at Chase Bridge.
How are you approaching the DPO role? We would love to hear your views.