The role of a Data Protection Officer in Schools and Multi-Academy Trusts

Why do we need a Data Protection Officer? 

It is a requirement for any public body to appoint a Data Protection Officer.  

What is the role of a Data Protection Officer? 

A Data Protection Officer (DPO) will ensure that you are compliant with Data Protection legislation, advise on your data protection obligations and assist with carrying out Data Protection Impact Assessments, Subject Access Requests, Freedom of Information Requests and data breaches.   

Article 39 UK GDPR defines the tasks of the DPO.  

In your school/MAT, you should expect your DPO to deal with the following tasks: 

  • Organise (and most likely deliver) staff data protection training,
  • Carry out an annual compliance audit to review data protection compliance, 
  • Create the data protection action plan for your school/MAT, 
  • Advise and assist in providing a response to Subject Access and Freedom of Information Requests, 
  • Advise and assist in dealing with data breaches, 
  • Be the point of contact with the Information Commissioners Office,  
  • Advise and assist with any Data Protection Impact Assessments,  
  • Assist with creating the Record of Processing Activities, 
  • Assist with monitoring and recording the compliance of all third-party data processors,  
  • Provide compliance update reports to the Governors/Trustees. 
Who can be a DPO for our school/MAT? 

Your DPO must be independent and an expert in data protection law. It can be an internal employee or an externally appointed Data Protection specialist.  

If you appoint an existing member of staff, you must ensure that they have the right level of expertise in data protection law and that their role does not cause a conflict of interest.

If the employee holds a role that involves determining the purpose and means for processing personal information, then they cannot act as the DPO.  

The DPO must be able to advise and influence the Senior Leadership Team, Governors, Trustees and/or CEO and should be adequately resourced and supported to ensure that they can carry out their role.  

What can you do to support your DPO? 

Ensure that they are contacted as soon as possible when their advice or assistance is required.  

Provide the resources and access they require to carry out their role effectively.  

Provide appropriate access to the information required to carry out their role.  

Ensure that your DPO reports to your most senior level of management.  

If you would like to discuss our Data Protection Officer service please contact