To outsource, or not to outsource…….

I’ve mentioned before that schools face significant challenges with GDPR compliance. State schools deliver a public task and are required to have a Data Protection Officer. It can be hard to find someone who wants to fill this challenging role. The DPO is a source of expert advice on all matters of data protection, but can’t be responsible for determining how personal data is processed.

Many schools are considering if outsourcing the role of the DPO is the answer to the conundrum. Some local authorities are creating outsourced services for this very purpose. Having someone outside of the management team, who can be named on your ICO registration form could be useful.

There are a couple of issues that you need to consider when you think about outsourcing the DPO role. I’ve already mentioned that the DPO is an advisor. They will not be doing the work to make you compliant. They won’t be mapping your data, ensuring that all staff understand the procedures for dealing with SARs, nor collating the data to respond to them. These are all tasks that belong to the data controller.

The second issue is about responsiveness to situations in the school. The DPO needs to be available to respond to issues and have good knowledge of the organisation they are advising. Let’s assume there’s someone at the reception desk with a complaint about how their personal data has been processed. A member of the team has to get hold of the DPO, then discuss the situation and be given advice about how to deal with it. By the time that process is finished, tempers may have risen!

Some schools are taking the approach of having a ‘Privacy Officer’ in school who works with the outsourced DPO. This approach seems to balance out the requirements. The Privacy Officer, as the person on the frontline will need to have a solid understanding of the GDPR to be able to deal with most questions. That will take training and time to build up the expertise.

When you look at outsourced options, it’s worth considering what can practically be delivered and what you’ll still need to have in place to manage data protection after May 25th.