Half of schools aren't ready for GDPR data protection officer requirement

Half of schools are not yet ready to meet their legal duty to appoint a data protection officer, although the deadline for an appointment is fast approaching.

New research by The Key, seen exclusively by Schools Week, asked headteachers who they planned to appoint to handle data when the new general data protection regulation – or GDPR – rules come into effect.

From May 25, schools will need to be clearer about the data they hold about their pupils and respond more quickly to requests for copies of personal data. They must also have a data protection officer in place to supervise the way data is handled.

Already stretched school leaders are working hard to get their head around the new regulations

Of the 1,032 school leaders who responded to the survey, 50 per cent said they had not yet decided who would be their officer. The problem was more acute in rural schools, where 53 per cent had not made an appointment, and in primary schools where 52 per cent were undecided.

The Department for Education says a data protection officer would have to make a “reasonably big commitment”. They must be “highly knowledgeable” about data protection and the new regulations, and “understand the school’s operations and policies”.

The officers will report directly to their governing body, and conduct data protection impact assessments.

According to Fergal Roche, chief executive of The Key, many schools are struggling with practical and legal issues surrounding the new role, especially at a time of financial pressures.

“Already stretched school leaders are working hard to get their head around the new regulations,” he told Schools Week.

“Identifying a suitable data protection officer to monitor your school’s compliance is not easy, practically or legally, when the requirements include having a sound knowledge of data protection law, yet no conflicts of interest, and when budget constraints make outsourcing a non-starter for most schools.”

Roche urged school leaders who have not yet made an appointment to “draw on decisions already made in other schools like theirs”.

The Key’s survey reveals too that so far school business leaders are most likely to be named as data protection officers.

Twenty-one per cent of the heads who had someone in place said they had appointed their school’s business manager or bursar.

Paul Whiteman

Twelve per cent planned to outsource the role to a data protection professional or other external contractor, while 9 per cent will use a member of staff from their multi-academy trust or local authority. Six per cent of leaders plan to give the role to their deputy or assistant head, and 2 per cent will use a business manager from another school.

Headteachers cannot fill the role because of conflict of interest rules that require the officer to be removed from decisions about technology and processing. This also bars heads of IT.

Paul Whiteman, general secretary of school leaders’ union the NAHT, called for more support from government for schools struggling to meet the new requirements.

“While data protection is nothing new to schools, and most should be prepared, the government could help schools more by highlighting the true must-haves for GDPR compliance, specific to schools,” he said.

“NAHT has provided advice for members and has been running GDPR information and preparation sessions across the country.”