With the enforcement of the General Data Protection Regulations (GDPR) less than a year away (May 25th 2018), we’re finding that one particular requirement is causing more uncertainty than others and that’s Article 37 – Designation of the Data Protection Officer (DPO). No doubt, as the deadline for GDPR implementation gets closer, many school organisations are asking, ‘Do we need a DPO?’
The GDPR requires mandatory appointment for organisations who, as part of their core business, regularly and systematically monitor data subjects or process sensitive personal data on a large scale. As the business of schools involves the systematic monitoring of minors, their decision will pivot on their interpretation of “large scale”. The problem is that the outer boundaries are clear (albeit not defined). For those of you in the grey zone, we’re afraid there is no hard and fast rule. Establishing whether or not Article 37 applies to your organisation will require careful consideration.
Small independents and SATs could argue that there is no requirement for them but they will need to justify their decision based on their interpretation of the GDPR and record the logic of their decision process.
We’ve published an article on this topic and it’s available to download here.