As a maintained school or an academy, you are required to have a Data Protection Officer (DPO). And it is highly recommended that independent schools appoint a DPO voluntarily.

Data Protection Education performs all the mandatory responsibilities of the DPO, helping you with data protection compliance through our approach based on GDPR accountability and the prioritisation and management of risk.

We remove much of the administrative burden around GDPR - our Knowledge Bank provides all the tools required for managing your programme as well as evidencing your compliance with the Information Commissioner's Officer Accountability Framework.

We don't just use these tools for logging and monitoring. We use them to inform and make data-based decisions to prioritise actions required to manage your risk, whilst always supporting and representing the rights of data subjects throughout your organisation.

Our experience is in education and with Data Protection Education you never need to worry about the availability of your DPO. We operate a dual approach:

• Outbound support that we provide in pushing out the framework and knowledge bank tools to you. Led by a designated consultant and support team, we'll use our tools and best practice to manage your journey to compliance.
• Inbound support from our core DPO team. Whether you have a routine question or complex data subject access requests, data breaches or freedom of information requests we have someone ready to respond.

Alongside consultation reports, we use checklists, logs tickets and compliance reports on our Knowledge Bank to monitor implementation of best practice and adherence to timeframes. And we monitor risks of all your data processing activity, new and existing, using our unique record of processing tool.

Dependant on your structure, we report annually to the board of governors or trustees on compliance or as required if there are imminent non-compliance and corporate governance issues that need to be raised.

Our best practice library has a wide range of core documentation templates and other resources. Using our document generator, you can automatically produce reports from your school's records of the processing activity. This means retention schedules and privacy notices are based on what you do, not just gneric recommendations.

We are proactive in communicating with you to ensure that you are aware of new content and important information when you need to know. Our themed termly newsletter is supported by our other resources: drip-feed posters, e-learning, news updates and tips for you to promote out to staff throughout your organisation.

Our record of processing tool is populated with a large number(and growing) of generic processes, which can be easily adopted by your organisation and adapted to your circumstances. We use this tool to assess and report on risk, meaning that processes can be risk assessed and reported on for data protection impact assessments. In fact, we may have a generic process with a ready-made risk assessment available for you right now. If we haven't, we'll add it in the system.

Our experience in the education sector allows us to make data protection guidance contextualised to your needs, rather than abstract references to the data protection act.

The Knowledge Bank Best Practice Library is extensive and searchable, covering areas of school data and the data protection requirements. From Acceptable Use, to Working Out of School, each best practice area provides guidance, a checklist to monitor and report on the implementation of that area as well as answers to frequently asked questions.

As DPO ensuring an organisation complies with their obligations often means we have to represent the rights of data subjects. We log all data rights requests and ensure that they are dealt with timely, independently and accurately.

We are used to dealing with incredibly complex cases and can help you navigate the difficult processes, communications and documentation of any decisions made.

As professionals, we sometimes must speak the truth to authority. DPE is always completely independent and as DPO is mandated to report to the highest management level of the organisation. This means that whilst we work with operational staff throughout the organisation, we can (and do) escalate to the board of governors or trustees if needed to avoid any corporate governance issues of non-compliance.  

Aside from over 100 years of industry knowledge, all our consultants have achieved  various data protection certification programmes including CIPP/E from the IAPP or the BCS Data Pritection Practitioner. Our core DPO includes our solicitor and two Masters Degrees in Data Protection Law.

DPE is completely independent of any organisations decision making processes.

Being independent, we avoid conflicts of interest that might exist in a school where a member of staff designated as DPO might have other responsibilities; for example, on the senior leadership team, or managing the IT department. This means we can review any decisions or data processing activity completely impartially and without bias.

We pride ourselves on our professionalism and all our work is completely confidential.

We operate on a need-to-know basis, especially in matters of sensitive subject access requests and data breaches, where we will restrict knowledge and access to certain qualified members of the core DPO team.