Data Protection Officers


Articles 37-39 in the GDPR

Schools are now legally required to appoint a Data Protection Officer (a DPO) for their school. An organisation can be fined up to £8.5million for not appointing a DPO when they should have.

Official guidance states this person should have "expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR" (Article 29 Data Protection Working Party Guidelines). 

A Data Protection Officer can be an employee of the school or they can outsource the role to an external person. The legislation states that the DPO must have the freedom to carry out the role independently and must not have a conflict of interest.