2. GDPR support
January 2018

3. GDPR – General Data Protection Regulations - come into force
Context
GDPR – General Data Protection Regulations - come into force
25th May 2018

4. Core foci
GDPR marks a natural evolution from the DPA, it incorporates most of the same principles of lawful processing, but also:
takes account of new ways of identifying an individual (biometric data; genetic material; location data; IP address and social media identity are all now included as personal data)
regulates the use of personal data for commercial or campaigning purposes using profiling; targeted advertising; strengthens the law on unsolicited contact
provides better protection for children under 13 when using websites and services

5. The role of the DPO
The latest guidance from the ICO is that organisations should;
designate a DPO
ensure the DPO is appropriately qualified, effectively supported and has appropriate authority within the organisation
decide where the DPO will fit within the organisation
The DPO is not personally liable for data protection in the school – responsibility sits with the organisation.
The DPO does not need to work at the school.

6. What is a DPO?
A DPO is the Data Protection Officer for an organisation
Every school and PVI needs to appoint a DPO as they handle significant amounts of sensitive, personal data
A DPO can be a member of staff, but does not have to be
There are no official, formal qualifications for DPOs, but they must have expert knowledge of data protection laws and practice

7. What does a DPO do? The DPO is required to:
inform the organisation of its obligations under the GDPR
monitor the impact and application of policies in relation to personal data
be included in all issues raised by the processing of data - in particular by organising training and establishing a network of persons aware of data protection within the organisation
act at the point of contact for and cooperate with the ICO
be available for data subject queries – ‘easily accessible’
publish /contact details, not necessarily a name (general address e.g.
be consulted on any new processing or data collection which contains a significant element of risk to the individuals affected
A DPO is responsible at a strategic level for data protection, but does not have to perform the administrative or operational functions related to data collection or access requests.

8. Who can be a DPO? A DPO should be: And
Senior enough to inform strategy and practice
Free from conflict of interest - without operational or decision making powers for data systems and management
And
Report directly to the most senior management body (i.e. a school trust/GB)
Be able to act independently without being penalised for fulfilling their role

9. Roles with a potential conflict
Headteachers – strategic responsibility for data protection
IT / Network Managers – responsible for systems which manage data
School Business Managers and COOs – responsible for systems and processes managing data
Marketing/HR/Finance/Data leads – responsible for using and accessing data

10. Potential DPOs Governors
Deputy and Assistant Heads / senior staff without conflict (i.e. not data lead)
External agencies providing DPO services – although this will limit your ability to engage/involve staff and ensure day to day compliance

11. DPO skills and abilities
expertise in data protection laws and practices including an in-depth understanding of the GDPR.
understanding of the processing operations carried out at school
understanding of information technologies and data security
knowledge of the business sector and the organisation
ability to promote a data protection culture within the organisation

12. Support for schools in Hertfordshire
Training for:
Headteachers – briefing via HfL Business Services
DPOs - carrying out the role
SBMs and office staff – GDPR overview / implications for schools
Funded by the LA for maintained schools; traded to academies
An online toolkit for schools/DPOs
HfL will work with key suppliers (Capita; RM etc) to ensure compliance

13. Proposed online GDPR Toolkit Spring 2018
Including:
Overview of the GDPR
Guidance and reasons for undertaking an information audit
Provision of sample privacy notices
Provision of a GDPR compliant data protection policy
Provision of a data retention guidance
Clauses to add to supplier contracts
Data breach response plan together with guidance on how to exercise discretion and template letters
SARs - what to do, when to do it and template letters
Key questions for governors
An audit template

14. Whole staff training Available now
Breaches historically are linked to poor individual practice – ensure that staff:
are aware of the key role they play in data security
Take reasonable steps to ensure that data is protected/held inline with school policy
Identify where breaches could occur and learn how to prevent them

15. Further consideration – Summer term 2018
Servicedesk/support to seek guidance on delivering the role in schools/academies
Remote DPO services

16. Next steps for schools
Review what data is held where – is it necessary?
Tighten passwords/access to databases/information
Ensure staff are aware of the new focus on data security
Consent – ensure that this is ‘opt in’ not ‘opt out’
Use online services which are clear about their data policies – storage within the EU ideally

17. This presentation was brought to you by Herts for Learning.
To find out about other Herts for Learning training courses or events please visit:
Visit our online shop to order additional resources at shop.hertsforlearning.co.uk