Data Protection Officer

As a maintained school or an academy, you are required to have a Data Protection Officer (DPO). And it is highly recommended that independent schools appoint a DPO voluntarily.

Data Protection Education performs all the mandatory responsibilities of the DPO, helping you with data protection compliance through our approach based on GDPR accountability and the prioritisation and management of risk.

We remove much of the administrative burden around GDPR - our Knowledge Bank provides all the tools required for managing your programme as well as evidencing your compliance with the Information Commissioner's Officer Accountability Framework.

We don't just use these tools for logging and monitoring. We use them to inform and make data-based decisions to prioritise actions required to manage your risk, whilst always supporting and representing the rights of data subjects throughout your organisation.

Our experience is in education and with Data Protection Education you never need to worry about the availability of your DPO. We operate a dual approach:

  • Outbound support that we provide in pushing out the framework and knowledge bank tools to you. Led by a designated consultant and support team, we'll use our tools and best practice to manage your journey to compliance.
  • Inbound support from our core DPO team. Whether you have a routine question or complex data subject access requests, data breaches or freedom of information requests we have someone ready to respond.




As an outsourced Data Protection Officer we are completely independent and all our advice is completely impartial.

Value for money

Our service is highly-competitive with others on the market. And we offer visits (when possible), remote support, a compliance platform and a rapid-response core DPO team with legal qualifications and years of experience within the education sector.

Our SLA tool not only manages our interactions with you, but provides you with a rolling statement of our time spent on your data protection programme for accountability and transparency.

Industry knowledge

Cumulatively our team has over 150 years of experience in the education sector. That's across primary, secondary, maintained schools, special schools, academies, trusts and local authorities - as teachers, support staff and management. There isn't any aspect of how schools work that we aren't familiar with. 

We don't forget about you

A DPO shouldn't just be there when you get into trouble, the DPO is mandated to be involved "in all issues which relate to data processing". That's why we believe in collaboration.

We have regular calls, remote sessions and other communications to monitor, advise and keep momentum in your data protection programme.


We provide an 0800 number during office hours and our ticket system and logs are available 24/7. We aren't a one-man-band so we have contingency built in and always have someone available to respond.

Data driven working

Our approach involves monitoring and reporting - we use our knowledge of working with schools to use evidence and data from the knowledge bank to make recommendations to not only improve data protection but very often result in organisation efficiency and cost-savings too.

We invest in our people

Our team has multiple specialists - law, IT, HR, finance, child protection as well as data protection. And we are proactive in supporting every member of the DPE team in learning and developing knowledge in their specialist area as well as data protection. All so we can pass this knowledge on to you.

More than a DPO

We go beyond the mandatory requirements - we aim to help improve data protection, but our risk-based approach means understands that school operations require a certain level of risk acceptable to be operational. We aim to minimise risk whilst improving operational effectiveness.

As well as Data Protection, we also support you on any freedom of information requests and other FOI matters, such as publications schemes. 

Fulfilling the requirements of the DPO

1. Monitoring compliance

Alongside consultation reports, we use checklists, logs tickets and compliance reports on our Knowledge Bank to monitor implementation of best practice and adherence to timeframes. And we monitor risks of all your data processing activity, new and existing, using our unique record of processing tool.

Dependant on your structure, we report annually to the board of governors or trustees on compliance or as required if there are imminent non-compliance and corporate governance issues that need to be raised.

2. Policies and documentation

Our best practice library has a wide range of core documentation templates and other resources. Using our document generator, you can automatically produce reports from your school's records of the processing activity. This means retention schedules and privacy notices are based on what you do, not just gneric recommendations.

3. Awareness raising

We are proactive in communicating with you to ensure that you are aware of new content and important information when you need to know. Our themed termly newsletter is supported by our other resources: drip-feed posters, e-learning, news updates and tips for you to promote out to staff throughout your organisation.

4. Data protection impact assessments

Our record of processing tool is populated with a large number(and growing) of generic processes, which can be easily adopted by your organisation and adapted to your circumstances. We use this tool to assess and report on risk, meaning that processes can be risk assessed and reported on for data protection impact assessments. In fact, we may have a generic process with a ready-made risk assessment available for you right now. If we haven't, we'll add it in the system.

5. Advice and best practice

Our experience in the education sector allows us to make data protection guidance contextualised to your needs, rather than abstract references to the data protection act.

The Knowledge Bank Best Practice Library is extensive and searchable, covering areas of school data and the data protection requirements. From Acceptable Use, to Working Out of School, each best practice area provides guidance, a checklist to monitor and report on the implementation of that area as well as answers to frequently asked questions.

6. Subject access and supporting other data rights

As DPO ensuring an organisation complies with their obligations often means we have to represent the rights of data subjects. We log all data rights requests and ensure that they are dealt with timely, independently and accurately.

We are used to dealing with incredibly complex cases and can help you navigate the difficult processes, communications and documentation of any decisions made.

7. Authority to act

As professionals, we sometimes must speak the truth to authority. DPE is always completely independent and as DPO is mandated to report to the highest management level of the organisation. This means that whilst we work with operational staff throughout the organisation, we can (and do) escalate to the board of governors or trustees if needed to avoid any corporate governance issues of non-compliance.  

8. Expertise and industry knowledge

Aside from over 100 years of industry knowledge, all our consultants have achieved  various data protection certification programmes including CIPP/E from the IAPP or the BCS Data Pritection Practitioner. Our core DPO includes our solicitor and two Masters Degrees in Data Protection Law.

9. Avoiding conflicts of interest

DPE is completely independent of any organisations decision making processes.

Being independent, we avoid conflicts of interest that might exist in a school where a member of staff designated as DPO might have other responsibilities; for example, on the senior leadership team, or managing the IT department. This means we can review any decisions or data processing activity completely impartially and without bias.

10. Confidentiality

We pride ourselves on our professionalism and all our work is completely confidential.

We operate on a need-to-know basis, especially in matters of sensitive subject access requests and data breaches, where we will restrict knowledge and access to certain qualified members of the core DPO team.

Frequently Asked Questions

Can a governor be the data protection officer?

Can we allocate the role of DPO to a member of staff?

Do schools need a data protection officer?

Does the data protection officer need specific qualifications?

How can schools afford a data protection officer?

What about independent schools?

What does a DPO do?

What does the GDPR say about your duties when employing a DPO?

Contact us today with any questions or for a

Free Consultation

Call us with any questions

0800 0862018

or email us on