Not an easy question to answer but I’ll try!
If you are a part of a Multi Academy Trust or a Scottish school, then the answer is just what you want to hear – you don’t need a DPO.
The Trust, and in Scotland, the local authority, not the school is the Data Controller. It is their responsibility to appoint a DPO – not your problem!
The news isn’t so good for English and Welsh Local Authority controlled schools. Here you are the data controller and as such you are required to make the appointment of a DPO yourself. This is, however, if the current legislation remains!
Why do I say this?
Well, at the end of October 2017 there were no less than 3 occasions when amendments were added by a House of Lords committee working on the Data Protection Bill, then removed, added again and again removed from the Bill. These changes altered the need for schools, colleges and universities requirements to appoint a DPO.
Here’s one of the amendments Point 10
I won’t bore you with the other amendments but as I write this blog, schools in England and Wales will require a DPO. The new law for Data Protection will not be passed until the New Year. Who can guess how it will read? Of one thing I am sure, it will be different than the current EU GDPR laws.
Let’s assume the DPO role remains for schools.
A DPO’s role is to marshal and to oversee that personal data is lawfully processed and to ensure the rights of the individuals are met. Schools need to get their house in order before a DPO can do their job.
The existing GDPR creates some new rights for individuals and strengthens some of the existing rights under the old Data Protection Act.
There are resources at www.groupcall.com/resources to help you along each part of your GDPR Journey
Ask me the original question again: When should I appoint a DPO?
My personal view:
Start working now on getting your data protection processes in order. I would wait until February or March 2018 before considering appointing a DPO. By then the new law should be clear and you will be so much better placed to know your requirements for a DPO.
First and foremost, don’t panic.
There are many free resources to help you along each part of your GDPR Journey at www.groupcall.com/resources