0370 270 6000

Five top tips for strong data compliance in 2022

31 January 2022

I know, possibly the most exciting article you’ll read this year. Ok so I admit that it’s not that exciting, but – as you have heard me say plenty of times – this stuff is important. It can also be time consuming and with data protection compliance it is often a matter of prioritising effectively to make the most of your finite time.

Let this article help you with that focus and ultimately save you time and money.

Tip 1: Embrace near misses

Once your heartrate is back to normal, take a step back and ask yourself “what can we learn from this near-breach experience to improve our practice?”

Near misses (and for that matter actual breaches) present a good opportunity to learn. What went wrong? What needs to change? How do we avoid it happening again? It’s very easy to thank your lucky stars and move on, but in doing so you are likely to be doomed to repeat the same mistake. Invest some time now in figuring out how to be better, put those changes in place and see the long-term benefit.

Tip 2: Lead from the top

Evidencing a strong culture of compliance is an important part of the DPO role. The best way to achieve it is to ensure you and your SLT lead from the top. How the leadership are perceived to fall in line with any compliance issue has a serious impact on how the rest of school staff will act. Strong and consistent leadership will send a clear message to more junior staff; a dismissive approach that suggests it all doesn’t matter will pretty much end your chances of creating a strong culture of compliance. So, start at the top.

Tip 3: Outcomes focussed training

The ICO expects organisations (including schools) to be able to measure the outcomes of data protection training. This means proving staff knowledge, not proving that they attended some training you put on during the inset day. So, make sure your staff training outcomes can be evidenced, that you then review that evidence to identify knowledge gaps and then plan how to plug those knowledge gaps to improve staff knowledge and data protection practice.

Tip 4: Learning walks

Learning walks should form part of your regular review of staff compliance – it’s one of the best ways to review everyday compliance and it doesn’t have to be a big job. All it requires is a wander around school with your eyes open to look out for key physical risks – screens left unlocked, USB sticks in use, personal data left lying around, cabinets unlocked and so on.

A quick learning walk will help you identify the areas of risk in your setting which you can then build into staff training and updating. Soon enough, those risks will be managed and reduced.

Tip 5: Consequences

This is a big one. In May this year we’ll be four years in to the GDPR regime. Is it time for there to be consequences for staff not completing data protection training and/or not doing what is required of them? Spoiler alert: it is. I’m suggesting we go straight to the ‘stick’; by all means use the carrot too. However, if there is no real consequence for a staff member not completing training or not complying with policy, then what is their motivator for complying? Perhaps it is now time to look at making these issues a disciplinary matter or, at the very least, a difficult conversation with the Headteacher. What would happen if we were talking about safeguarding and not data protection? I’m betting there would be consequences.

Bonus tip: Work together, don’t reinvent the wheel

You know me, I like to give you freebies where I can, so here’s a free tip – work together. Being a DPO can be a lonely job, so look to networks, forums and make connections with other DPOs in your area so you have a support network around you. That way you can share learning/documents/experiences and take those benefits back to your school. As part of that, don’t forget the DPO Peer to Peer Support Forum in the LASBM online community.

I’ll be expanding on these tips and providing some more at the LASBM East Conference on 9 February.

This article was first published by LASBM on 27 January 2022

Focus on...

Legal updates

Top three training topics 2022-23

As well as providing day-to-day support to help you focus on managing your settings, we also provide training and professional development on a range of topics to keep you and your staff up-to-date.


Legal updates

Facing the threat of cyber security breaches

Universities and colleges are not immune from deception by unscrupulous bad actors. The extent to which educational institutions can manage and control risk not only depends on financial management and internal controls, but also the robustness of security and processes which can be exploited from outside the organisation.


Legal updates

Data reform in the UK

Since the UK left the EU and are now able to move away from the EU data protection regime, the UK government have implemented a national data strategy with the aim of reducing the burden on organisations but maintaining a high data protection standard.


Legal updates

ICO consultation on research provisions guidance

The data protection legislation (namely, the UK GDPR and Data Protection Act 2018) contain various provisions that deal with the processing of personal data for research purposes.