Episode 6

Published on:

9th Mar 2021

Protecting Children's Privacy

Just Because You Can, It Doesn't Mean You Should!

UK's leading DPO for Schools, Claire Archibald, reveals some of the key challenges when it comes to protecting the privacy rights of children and how they can be addressed.

Claire unearths how witnessing the activities of nine-year-old girls on Instagram led her on the path to becoming a Data Protection Officer and Consultant at Education Data Hub.

This episode is packed full of valuable information for parents, educators and anyone that cares about the privacy of the child(ren) in their lives.

If you want to make it as a successful Privacy Pro and take your career to a new level - You can't afford to miss out on this episode!

Listen Now...

Connect with Claire on LinkedIn here: https://www.linkedin.com/in/claire-archibald-b608001a1/

Connect with Jamal on LinkedIn here: https://www.linkedin.com/in/kmjahmed/

Get Exclusive Insights, Secret Expert Tips & Actionable Resources For A Thriving Privacy Career That We Only Share With Email Subscribers

► https://newsletter.privacypros.academy/sign-up

Subscribe to the Privacy Pros Academy YouTube Channel

► https://www.youtube.com/c/PrivacyPros

Join the Privacy Pros Academy Private Facebook Group for:

  • Free LIVE Training
  • Free Easy Peasy Data Privacy Guides
  • Data Protection Updates and so much more

Apply to join here whilst it's still free: https://www.facebook.com/groups/privacypro


It was a shock for me and I thought, Oh my gosh, you're right. I can't believe I've done that. And it was a real watershed moment for me. I was pretty horrified that I was doing this.


Are you ready to know what you don't know about privacy pros, then you're in the right place.


Welcome to the PrivacyPros Academy podcast by Kazient Privacy Experts, the podcast to launch, progress and accelerate your career as a PrivacyPro.


Hear about the latest news and developments in the world of Privacy.


Discover fascinating insights from Leading Global Privacy Professionals


and hear real stories and top tips from the people who've been where you want to get to


We are an official IAPP training partner.


We've currently trained people in over 137 countries and counting.


So whether you're thinking about starting a career in Data Privacy, or you're an experienced Professional, this is the podcast for you.


Hi, everyone, and welcome to the Kazient PrivacyPros Academy podcast. My name is Jamilla. And I'm a Data Privacy Analyst at Kazient Privacy Experts. I'm primarily responsible for conducting research on current and upcoming legislation as well as key developments and any decisions by supervisory authorities. With me today as my co- host is Kazient's CEO, Jamal Ahmed. Jamal Ahmed is a Fellow Of Information Privacy and CEO at Kazient Privacy Experts. He is a leading Global Privacy Professional, World Class Trainer and Lead Mentor at the PrivacyPros Academy.


I'm so excited to be speaking to our special guest Claire today. Why don't you tell us more about Claire?


Our guest today is Claire Archibald and she is a BCS data protection practitioner, a DPO for schools and a consultant at Education Data Hub. She is also a non practising solicitor. Claire has a wealth of knowledge and experience in the sector and currently works for Derbyshire County Council. Welcome, Claire, we're

so happy to have you.


I'm really excited to be interviewed today. Thank you so much for asking me.


We're really excited to be speaking with Claire.


Definitely, as we always do on this podcast, we start with an icebreaker, what is your motto that you go through life with?


I think I've got two mottos and both of them have come out of my parenting experience. I used to be really hard on myself and really punish myself when I made mistakes, you know, I saw that my children were growing up, and they would punish themselves for mistakes and, and be really cross with themselves if they got things wrong. And I felt really compassionate for them. And you're little you're only learning and then it became a bit of a motto. And I thought you know what we're all only learning, you know, I really believe that you can make mistakes, it's okay, we are only learning. So that is our family motto, don't worry, we're all only learning. And I say that very often, it inspires you then to be curious, not to be afraid to make mistakes, and to enjoy yourself because learning is fun. And probably the second motto I have again, my daughter taught me this motto, but and she was a tiny little girl very confident she was jumping around, she's about four years old, she jumped around and she was making star jumps and making shadows and she went, look, I may be little, but I can do big things. And I thought you know, what, isn't that wonderful? I may be little I'm quite short, but you know, I can do big things. And you know, we all have a role to play, you know, we each can have an impact. So that's my other motto.


I really love both of them, too. They're so true, especially when you think about what you said is so many people walk around life scared of making mistakes, scared of failure. And because they're worried and they're focusing on the wrong things, they're worried about what will happen if things go wrong, they really don't give themselves the permission to be well, they could be an experience, or they could exprience and have all they could have. Because they're always focused on people would laugh at me if that happens. When you say look, don't worry, we're all learning, then it gives you the permission to go and try everything and really find/ figure things out for yourself and have that richer life. And I really love that. And the other thing is, yes, just because we're small, doesn't mean that we can't achieve great things.


Thank you. And you know, you said a really interesting point there about fear. And I've really pinpointed included in my current role that fear is the basis of many negative emotions. So what might come across as anger or defensiveness or, or head in the sand most of those emotions? I don't just say like Yoda No, but it leads to anger, fear of failure or fear of things going wrong or humiliation for any significant issue. Yes,


Definitely I mean, very profound and wise. Well. Yeah, I love those mottos. So I think they're definitely going to give me something to think about today and the rest of the week. Our first question to you, I guess is how did you begin your career in data privacy?


So this goes back a really long way. I was a law student at Leeds University in the late 1990s. And data protection wasn't anything that was really ever covered back in the late 1990s. You had a bit of a light touch on it, but it wasn't really But what I did love was civil liberties and Clive Walker was my tutor for civil liberties. And if there was a civil liberties module to take, I would take it and it was all about individual's relationship with the state and the right of the state to carry out surveillance or you'd never think of private companies surveilling you and it was all about your relationship with the government and, and telephone tapping. I find that really intellectually interesting, but it didn't really obviously lead me to a career. I recently learned that Kier Starmer actually studied at Leeds University and he left civil liberties too, dammit I could have gone down the same route as Keir Starmer. Civil liberties is really interesting, I couldn't find an obvious career path for that for me. At the time, we had a great Law Library and a cloakroom, and in the cloakroom, there were all these advertisements from big corporate law firms. You know, come and do two weeks worth of work experience with us, we'll interview for you for a job, if you get the job, you'll get your training contract, two years really good salary, will pay for your legal practice course fees, you know, so this seemed like a really great way to secure my future.

So I've got ambitious, and wanted to be financially independent and get my career started. So I sort of fell into that, did a number of cooks tour road sort of vacation placement, and got recruited by one of the corporate law firms and had a regional office up in Sheffield, great experience. And my training contract went round all the different departments and settled in the environmental team, I really like my colleagues in the environmental team, I found it was really varied work. So it was about your interaction with the regulator, in that case, the Environment Agency and testing the mood of that regulator, and whether the regulator was going to favour you, it was a good mix of litigation, corporate deals, looking at contracts. So the type of work the varied work did appeal to me. And I settled in that what really didn't appeal to me, Oh, my gosh, was the European legislation, it was the most boring thing ever.

I find it really difficult to read and understand. And I thought, Gosh, maybe this is me, I really find this really turgid, really boring, sort of work in just me, but not the content but anyway, went on, had children ended up doing a variety of different things and not going back to the law, my life took me in a bit of a different direction to started working with projects. And I started to work as a mediator and looking at counselling and looking at that interaction. And what makes people tick. And that's what I find really interesting about Jamal is that he's bringing his knowledge of psychology and NLP into his work as a data protection officer and consultant, I think absolutely the same. It's about working with groups of people to bring about cultural change. And I think unless you understand what makes people tick, and behind that, then you're not going to win their hearts and minds. You know, I think lawyers and auditors would think that data protection is a Compliance Job, that there's laws to follow. And you've got to follow those laws. And that's kind of cut and dried for them. And but I think it's way more than that. I think it's about people and attitudes and that culture. And I think that data protection, the world that we live in from when I was in the late 90s, during my law degree to the world we live in now is massively different. We were just about having an email accounts back in the 90s. So we live in a completely different world. And data protection is part of that. That's a long answer to that question about where my career path went, because it wasn't in a really obvious direction. And I did not think at the beginning of my career, I would end up doing this.


I think that's really good. Anyone who's starting out whether it's in law, whether it's in data protection can kind of see all these different journeys of people that we are interviewing. And it shows that it's not just one linear journey that you have to go on to reach a certain goal in data privacy.


Thank you for sharing that with us. One thing I'm really interested in is how did you go from becoming a corporate lawyer going into mediation, oh, this thing, and then finding a niche in schools where you're doing such a great job,


I had a voluntary job, and I was a girl Gaiden leader and I looked after a group of brownies, brownies are aged between seven and 10 old girls. So I ran a brownie pack for a number of years absolutely loved it. And it got me interested in the safeguarding elements of looking after children couple of strands to how I ended up in education. So first of all, when Facebook was invented, I really got into it, I thought it was great. I was quite isolated where I was, I had two very small children. And I remember my first Facebook post, really well, used to talk about yourself in the third person when you talked about yourself on Facebook. So it was clear is and then you know, you talk about yourself like a third versus that was strange. And I remember posting on Facebook of my children and then growing up and I remember once trying to take a photograph of my daughter, and my daughter said, I'll let you take a photograph of me but only if you promise not to put down Facebook, very precocious little girl. And then it was a bit of a shock for me and I thought oh my gosh, you're right. I can't believe I've done that. And it was a real watershed moment. For me. I was pretty horrified that I was doing this really without thinking about their rights to privacy and killed on my social media accounts stripped everything down. And I really thought really carefully about who and what I share with about them because it's for them to choose.

And also, I mentioned being a brownie leader. So as I was a brownie leader, a lot of these seven year old girls started to request to follow me on Instagram. And I found that really shocking and surprising. Yeah, they had public accounts. So I would, I was able to see all their photos. And I was pretty surprised at the content that 7,8,9 year old girls will go on Instagram, I think they were very naive. And then I remember finding a photograph of the inside of my own daughter's classroom, I was pretty horrified, got to the bottom of it. And they had a take your own toys to school day at the end of term. And one of the children had taken in their mobile phone and had taken photographs inside the classroom. And then they put them on a public Instagram account. And I went into the head teacher, and I said, did you realise this has happened, I'm really shocked. This has happened. And he was he was really surprised. He was really shocked. He hadn't considered that would happen at all. So some really big sort of surprising things happened, shocking things happened.

hooling. And that was back in:

And one of the senior leaders said to me, You know what, Claire, I've been in education a really long time, I've seen these fads come and go, I really don't think you need to be getting yourself worked up about this. It'll all blow over. I thought to myself, I've not heard of a piece of legislation that has blown over yet. You know, and then I sort of thought you're still a solicitor, you're not practising anymore, but you do actually know what you're talking about here, Claire. And so I started to look around for advice and support. And I was really thirsty for that resource and support and started to look into it myself. And then just got more and more knowledge and piece together. You know, what I've learned in my previous career with the bits of working with people and working with teams and projects and the safeguarded bit, and really knowing how school work terms of its day to day operations. And all those things seem to come together really well. As I say, because of my experiences. It was something I was genuinely passionate about. And I don't think you can do this job without becoming a bit of a privacy advocate. I think you would be insensible if you didn't actually think and care passionately about those data subject rights and their privacy at the heart of it.


You mentioned that you came across young girls putting things on Instagram, how can we talk to kids about data privacy and kind of approach that subject with them. And because obviously, what I think when I was growing up, the internet was very new, the kind of only thing we got told was Stranger Danger online. And now they're using the internet for their lessons. They don't get that warning message anymore.


I think it's not just children that are learning this, I'm in my early to mid 40s. And it's our generation that are learning this as we're going along as well, I've certainly have learnt this as I've gone along, and I thought really carefully about my own privacy online, we're so willing to give away lots of our information and lots of our privacy for convenience sake. So if we can have things prefilled we can accept those cookies, you know, if we can have that ad served to us, we just accept that. So I think for children, it's been an open and nicer thing. We're on this journey too, we're learning about this as well. And then of course, the obvious thing is to move and I think schools are doing this and we know they have a lot of Internet safety and lessons now. So moving in a more sophisticated way and in an age appropriate way, helping children to learn how it's not just about you don't talk to strangers in a chat room, which is a really old fashioned way that we've given advice and but to talk about that those nuances and, and to build their idea of their right as a citizen of the digital world. And we teach children about politics, we teach them about democracy, but let's teach them about the digital world that we live in as well as the physical world. So you teach them geography, teach them history, yeah, teach them tech and the world that we actually live in virtually as well. We're all glued to our phones and our screens. That's true.


And unfortunately, it's become I think, a bit more commonplace during this pandemic with the pandemic that's been going on. A lot of children have been doing home learning they've been having laptops in various parts of the house, you know, they've got hundreds of siblings they might be you know, all crowded around laptop, how can we protect the privacy of children in their homes during online lessons when I know that a lot of schools like to record those online lessons for kind of future sake, how can we protect privacy in that respect?


So before I let Claire answer that question, I just want to say clear, before we even talk about how we can protect those recordings, should we really be recording children in the home? Or if we should be or those that are, how are they justified? What are your thoughts on that?


Yes. So there's lots of ways of remote learning. So first of all, this remote learning that's not recorded lessons. So remote learning, signing pupils up to a platform, giving them a login and saying, here, go kids, here's your username and password for this piece of edgy tech. We'd like you to use it, to do your timetables, to do your spelling's, to do a class quiz, there's that aspect to deal with first. And what I would say is that there are loads and loads of products out there, and they look really glossy, and they look great on the cover of it. And it might be school down the road, or some art teacher on Twitter, with a large Twitter following is using it, it's any of these platforms, great, I love it, and get your kids signed up. But just to really think about the data protection implications of that first, and not just to look and particularly I've seen loads and loads of us providers who have really great glossy looking websites, but really aren't tailored to the European market and really don't tailor the way that they're dealing with data to our laws. So that's the first thing to say is get that out of the way, because that's something that comes across my desk on a daily basis and is continuing to do so.

So that's an issue and schools need to make sure they're getting advice, terms of whether that those products are compliant, or that minimising that risk. In terms of recording online lessons. Should they be recording online lessons at all? I think just because a piece of technology has the facility to do something doesn't mean you should. So you could, but should you and I think that could, should question needs to be asked load. So just because there's a big red button on your resume or your team's saying hit record? Do you necessarily hit that record button? If that record button wasn't ever put in by the developers as a school, which would you say, Oh, well, I'd love to use zoom. I'd love to use teams. But Gosh, it's a shame that it doesn't have that record function. So therefore it's not usable for us. No, they still use it. You just think okay, well, it is what it is. So the first thing to say about recording is schools really need to understand why they are recording what they recorded. And I've asked that question. So we provide like a DPIA template, send it out to the school, you know, you want to use zoom, fill that in and come back to us and and they'll say and ask them, will you be recording lessons? Yes, we'll be recording lessons they say. And I say well, why? We don't know because of safeguarding.

Okay, so I say let's explore that a bit more. What exactly are you worried about with safeguarding? And sometimes they might say, Oh, well, to protect our teachers from allegations. And I say, Well, do you record in the classroom? No, we don't. I say, well, why do you need to record your online lesson to protect that teacher from an allegation? So that's the first thing to talk about. The next thing to say is well, because of the safeguarding of pupils, there might be an incident in a pupils home and we might need to to access that record. And that that's two mights in one sentence, which is immediately making me think well, how necessary is it? Because if you're saying we may read it, an incident may happen, is starting to look really not very necessary and necessary is is at the heart of everything where we're asking, Well, what about the existing safeguarding tools that a school have got? So have you got a safeguarding reporting system, you rely on teachers, given a written account of a safeguarding incident in snow school life, so you know, if Little Johnny is going to come to you and is about to disclose something related to their family, you don't say hang on Johnny, I'm going to need to record this. You know, you listen very carefully, and then you record it, whatever sort of safeguarding recording system you've got, that does exist in systems.


Yeah, they're almost two separate issues that that school seem to be merging together as one bit safeguarding and perhaps they need a new safeguarding policy tofit the new kind of learning from home environment, whereas recording lessons is kind of completely different because students very unlikely to disclose something that's happening at home that could be a safeguarding in front of all their peers during a lesson to me it seems a little bit confused.


It does, it is a bit confused.

So then I think with virtual classrooms, you've got to spend time thinking about your virtual classroom rules. Yeah. So whenever my children start and you turn at school, and I say to them how was your first day in the new class and they go it was great. We spent all day looking at classroom rules, though, you do that at the beginning of every academic year, you look at those classroom rules. So yeah, it'll be a number of people that need to understand and accept those rules. So there's going to be the staff, it's going to be the students, and it's going to be the parents as well. And the carers, they all need to understand what those virtual classroom rules are. And I understand that recording lessons is, is really important. If you've got one laptop in a house, and you've got three children, you know, and the live lesson for child one and two are both at 11am, then you know, they're both not going to be able to access it. So there's a good potential that somebody is going to need to access that non live time. So, you know, make sure that that content is available, pupils can turn their cameras off, you can turn their cameras off, you can only record part of the lesson. So the part where the teacher is, is delivering the main content of the lesson that could be the recorded section, I don't think you have to hit record the very beginning and turn it off at the very end.

Some schools are doing like a blended delivery. So teachers are delivering live to pupils in the classroom at the same time as delivering live to pupils at home. So really practical stuff, really obvious, you know, the laptop goes at the front of the classroom, and the children in the classroom sit behind the laptop. So and being really clear. And then really thinking about if you've got any particular children in that classroom for whom this scenario could pose a real safeguarding risk. So those children in care, those children whose location and identity are very sensitive and are not widely known. So think about those specific safeguarding issues and make sure you do a risk assessment against those. Don't be afraid just because you've had something in place for a couple of weeks, review it take time to have a breather, then you know, see how it goes. I must say I told you, I would wind me up and stop me talking.

Today, I mean, I was talking to a lady who knows a lot about edtech, a lady called Jody Lopez, a couple of weeks ago in a webinar, and she was saying, you know, when we roll out a piece of edtech to schools, we'll roll it out with five schools in year one, and and we'll let them play with it. And we'll see how we get on. And then the next year, we might roll it out to another 15 schools and only in year three to five, do we look at rolling this sort of thing out nationwide? Wow, what an amazing job schools have done in this pandemic, that they have taken so quickly to these remote learning tools. I hoped for school sake, and my own sake, because as their data protection officer that that pace of change isn't expected to continue. Because you know, mistakes can and will happen when you roll out tech so quickly like that. But don't be afraid to build in some reflection time into the use of your tools, change the rules a little bit and adapt as you go along.

And we're all only learning and go on that journey together as staff and students and ask the students what's working for them, what's not working and develop it that way. reminds me a little bit of the motto you gave it, about making mistakes, data protection breaches are unfortunate, but they're unavoidable, accidents do happen. I talk about data breaches, when I talk about schools, when I talk about data accidents do happen, you're going to have a data accident in the same way that your children may fall over in the playground. And you have to have an accident book for the children in the playground. So you need to be thinking about your data breach log, recording all the near slips and trips, as well as those big data accidents. I was talking to somebody yesterday, and they told me they had a data breach trumpet. So every time they had a data breach in the school, they would blow the little data breach trumpet, I thought, you know, again, that tolerance of learning and mistake,


Interesting one for people to think about adopting a data breach trumpet, maybe one for businesses as well as school. With all the changes, I mean, it's almost unavoidable that things would happen, because it's impossible to almost account for everything, especially if you're part of a school where maybe you put out a policy or maybe you've sent out an email, and then it was kind of put to the back of your mind that people


are having to do jobs that they're not normally responsible for. So teachers, for instance, emailing parents in a way that they never would have done before. And all that sort of stuff would have gone by the office, but now you've got that direct contact. But schools do learn and and you know, the important thing is if an accident happens, to react quickly, and to learn from that and to build forwards sort of stronger.


So what kind of mistakes do you see that schools are making when it comes to data protection? If you'd


have asked me this question 18 months ago, I think my answer would have been quite different. I think in 18 months schools have made the schools that I work with made massive progress a year regardless at schools were quite naive. And I described them as sort of toddlers in the industry. And they were sort of grabbing on to the hand of the nearest person who who looked like they knew what they were doing. And very often those people were edtech providers, the schools were sort of assuming that people who knew more about it have the same interests at heart as they did is through a process of education and and working with the schools and empowering them and finding that's really changing and more and more schools go in there much better sort of ambassadors and advocates for their own data, such as the great custodians of that that data, whether schools have learned that through working with us, and generally an increased awareness, or whether they've had the sting of a parental complaint to the ICO or the sting of a SAR, making them realise they really need to think about their records management practices in school, schools are getting better at this. I think that if you could ask me about mistakes and things where they still need to learn, I think they need to ask why much more often?

Why are we sharing this data with this person? Why are we sharing all of this data? Do we need to just share a small amount of data? One of the things I look at is I see very often there are opportunities for schools, and they look great in schools, I think that's a great opportunity, the body or the company, or whatever says well in return for us giving you this resource or this support? Can we have your pupil data for research purposes? And there's a lot of interest in in research. So you really think about well, it was our duty to, you know, could we provide this content ourselves, without having to give away this pupil data for the research, ask why all the time, and just consider what you're doing before you give it away. So even if that's a telephone call from a solicitor asking you for some information, or a police officer asking you for some information, you know, do you need absolutely everything that you're asking for? Can I give you some of that information? Can I check your identity? So that's that very basic step, right? Do I really need to take part in this research project? Can I have that resource without giving away my pupil data for research?

The other mistake I think schools make is that they very often they think it's an office job, and they think it sits with School Business officers. And obviously, as a former School Business Officer, myself, I have great passion. And I need to look after the school business officers. So I love in analogy, I use far too many analogies in my job, I have a great analogy. And I talk about using new providers system taking pupils on a trip. And I say like if you're going to take pupils on a trip, do you do the risk assessment before you start the trip? Or do you get on the bus, and then write your risk assessment for the trip when you're on the bus, or you know, on the coach to the trip and schools where to get that really makes them laugh. But it's that idea of if you write your risk assessment before you get on the bus? Think about those data protection risks before you sign up for a platform. Sorry, I'm all full of the phrases today. That lack of preparation on your part does not constitute an emergency on mine. What I do like sending an email to all my clients going forward. Absolutely, you know, obviously, particularly Corona year, we've all absolutely had to put some systems in place incredibly quickly. And we've all worked as hard as we possibly can. And that pace of change needed to be really fast. In normal world do you need to get your pupils on that platform this week? You've only just found out about this platform, and you need to run with it now? Well, no, let's stop, pause. You need to think about financially, whether it's a good thing for your school, rather than just chucking money at this platform. And that fun and play. If you think about every piece of data about a pupil being worth 10 pounds, are you just gonna give away all that value. Let me know that.

You think about the risks before you get on the bus. So those are my things I'm still working on in terms of helping schools but I think we're getting there. Yeah, were you positive about it?


Good. I think that was really sound advice for schools, if they don't know where to kind of start. I think those are some good places,


You know, in terms of schools, you know, for me, there's always those three cause foundation blocks when it comes to the start in that on that journey. First of all, governance and SLT. So make sure those senior leaders and those governors really understand that that the buck stops with them. I think a lot of governors and head teachers think they buy the DPO service because they think then that they've devolved in themselves have any responsibility, get the governance right really understand you know, that it's a partnership and we're all working together, training and that culture change piece and, and given we're DPO as a service so we're not sitting in those schools. So you know, we're trying to coach and in develop that culture of that key person being a data ambassador for us, you know, and really helping us and being our eyes and ears in that school. And then the next thing is to get your policies right get your structure in place that skeleton and that's when you're going to build from those those three blocks, getting those in right first and then build in from there. It's no good writing Data Protection Impact Assessments if if it governance don't care, or answering SARS, if your records management is all over the place. So yeah, it's about building in really logical steps.


What have you found that's really helped you engage or get the attention of those governments and those senior stakeholders.


It's about a safeguarding. Going back years, there was a time that safeguarding wasn't a big thing in schools safeguarding somebody else's responsibility schools are there to teach. And no schools are there primarily to keep their people safe and after that data to educate them. So I think data protections the same as safeguarding and it is the heart of everything. So it's about really helping schools to understand the link with safeguarding schools that have pupils who are in care, who are post adopted, who've got access issues or difficulties family issues, they get, get that link really quickly, because they already have to take really great care with their data because they know just how dangerous it could be in the wrong hands.

Early, early days, we, you know, we would talk about the risk of fines, the risk of compliance, find it, you know, finding the ICO finding that you weren't compliant, I think that's less of an issue. Now, I think obviously, the, the attitude of the regulator is is is not, you know, of coming down on fines that way, but we have seen schools really stung and really brought to their knees by parental complaints. So it used to be a parental complaint would always be I'm going to complain to Ofsted. Now it's I'm going to complain to the ICO. So we've seen parents complaining to the ICO or governors or members of ex members of staff, it's not just a parent's thing. And, and, or whether it's a Subject Access Request that has brought a school to a standstill just in terms of the sheer amount of information that they've been required to pull together, that really stings for a school, and is a bitter experience for them, but is always is often a great accelerator to change.

And finally, then it's just about that rising awareness. And, and I think, you know, we're still only four years into the GDPR. I know data protection has been around for a long time before that, but like GDPR was a real game changer. And because it coincided with that, that leap into a much more digital world. And schools like all of us are waking up to that. And so yeah, those three things have really helped schools stick to get buy in from schools, the safeguarding element, the bitter experience, and in terms of bad experiences, and which have really upset staff members, they've had to work really hard. And then the just the general raising of awareness, and hopefully the good work our team are doing in terms of helping schools to feel empowered to deal with this sort of thing.


I think one of the great things is that you obviously are in a in a place where the authority Darvish or camp counsellor, whoever it is actually see data privacy as something that is worth investing in something that is worth getting, right. But when I'm looking around where I am, in inner city, London, sometimes I'm looking at schools and looking at the practices of where some of my family members study and data privacy seems to be something that's overlooked and forgotten. What message do you have to those boroughs in those decision makers?


Wow. So yeah, I'm really lucky to work in a team where we've been supported and encouraged. I mean, our schools do choose to buy our service, it's not automatic. So, you know, schools still have to make a significant investment to buy our service where we are sort of fully self funded within within the authority, and we're expected to recover costs. But in terms of messages out to other schools, and I, you know, got come back a couple of years ago, there was an expectation and when the DLP data protection toolkit came out, there was a suggestion that schools could act as each other's data protection officers. So a business officer in one school could also sort of have a sideline of being the DPO for a neighbouring school. And I think that has, you know, as far as I've seen, proved to be really difficult and unworkable.

Financially, schools, really, you know, could struggle in terms of financing the investment to buy a data protection officer that's going to give them all that support, and it doesn't just give them a sort of theoretical answer. It's really, you know, they need real practical support. It's no good having 10 pages of legal advice that doesn't really tell schools what they need to do. So it's a significant investment for schools. But I would say the, the time and resource that you're going to have to spend in dealing with enough detail complaint, or dealing with a Data Subject Access Request, is going to outweigh that initial investment very quickly. And actually, you know, if you really invest in this early doors, and you build up a good culture of compliance, then the likelihood of things going wrong further down and your school being pulled into disrepute. You know, I never want to see one of my schools, in the local newspaper being found wanting for any of their data protection practices. And, you know, I don't want to see any school being criticised. So, you know, schools need to invest in that, like we all do. And I appreciate that's really difficult. Budgets are super, super tight. But yeah, get your staff out, get them trained, be curious and reach out for help and support. I think it is coming. I think we are in a scenario now where everybody, including the Department Of Education after their ICO inspection last year, you know, I think we're gonna see things coming out of the Department Of Education to help schools more, so don't give up, I suppose is the message to those schools. Thank you, Claire.


We've talked a lot about what you do as a your day to day roles, or what kind of tips and advice would you give to aspiring privacy professionals who are thinking about going into education?


You know, the age I am, I'm still a relative newbie to all of this. And I think don't be afraid to make that change. If you find this is something that inspires you and is passionate. I think the first thing ask yourself, are you intellectually curious about privacy? Because I mean, I jumped into environmental law, because it seemed like a good job for me. And I liked the ways of working and the different people I was working within the money thing, but you want the content I really wasn't. Sorry, that then meant that it wasn't a long term passion of mine, you know, ask yourself, considering a career in privacy law, are you passionate about it, because it is quite dry, it's quite difficult.

Next thing I would think about is get yourself a network. And this is where you guys come in. So think about building yourself at that network. I've been really lucky. Some people have been really kind and generous to me. So people like Tony Shepherd, Barry moltz, Tasha Whitaker, they've been really generous with their time, they've let me test out some of my ideas on them. They've been supportive and encouraging. And then, of course, going through people who are at the same stage of the career as me and we've all learned together. So Mike, I've been lucky because I work in a team with some great colleagues. And we've been on a real adventure and learning together. So things like PrivacyPros Academy, obviously fantastic in terms of helping new privacy professionals to get that network, finding a mentor to help you through but also people who are at the same stage as you.

Imposter syndrome is a big thing. And we're all saying you all know so much I know nothing, but everybody knows a bit about something. So it's really good to check your ideas with your network. The last thing I'd say is get yourself an academic qualification. So obviously, you guys would recommend the CIPP. Great, you know, because getting that academic qualification helps to give you the confidence and the rigour to answer those questions. So you know, I did the the BCS data practitioner qualification, that was a great experience. I know that you guys obviously support people through the CIPPE and the M. They're brilliant, that qualifications given me the confidence and the academic rigour. So if I've got question, I go back to what was the controller and processor? What's my article six and article nine or schedule one basis? Do we need a DPA? You know, how we're gonna apply the principles? How we're gonna apply the right how we're going to look at security and transmissions. And so every time I get that question, I go through those rigorous steps. If I don't know, I start with that, you know, not just doing the exam, you know, anybody can get through an exam. But really understanding the content behind that legislation, and getting those bits in place is going to give you that framework for you to build your practice around.


Thank you. So just to end on our last question, what has been your proudest moment in your career so


far? Oh, God, I was really young when I was a trainee solicitor. I was it was a big corporate firm with a big office in London, and then the regional office in Sheffield, and there was a competition for the trainee of the Year award. And I won it and I won it for my client care work. Because, for me, it's really important to recognise who your customer is. And as an ex lawyer myself, I know that sometimes sorry, lawyers, lawyers can be fantastic at giving you 10 pages of incredibly accurate legal advice, and no stone is unturned. But as a client receiving that, can you actually do something with those five incredibly accurate pages? Are you completely overwhelmed? I was really proud to win that award and get that recognition that it was really important to me that your advice was client centred and intelligible to them and that they would go away from a piece of advice either really knowing what to do and having a pragmatic step forward. I would never leave a client with pages of advice that didn't give them a route for where they were going to next. And that's not to say I'm going to make the decision for them. But I think hopefully we've worked together, and then they would see, you know, the route out. So as I say, for me, client K is really, really important. You know, as a compliance officer, you might sometimes forget that there are rules, and you've got to tell people what those rules are. But you've got to help them to understand why they're important and how to implement them and client care is everything for me.

Show artwork for Privacy Pros Podcast

About the Podcast

Privacy Pros Podcast
Discover the Secrets from the World's Leading Privacy Professionals for a Successful Career in Data Protection
Data privacy is a hot sector in the world of business. But it can be hard to break in and have a career that thrives.

That’s where our podcast comes in! We interview leading Privacy Pros and share the secrets to success each fortnight.

We'll help guide you through the complex world of Data Privacy so that you can focus on achieving your career goals instead of worrying about compliance issues.
It's never been easier or more helpful than this! You don't have to go at it alone anymore!

It’s easy to waste a lot of time and energy learning about Data Privacy on your own, especially if you find it complex and confusing.

Founder and Co-host Jamal Ahmed, dubbed “The King of GDPR” by the BBC, interviews leading Privacy Pros and discusses topics businesses are struggling with each week and pulls back the curtain on the world of Data Privacy.

Deep dive with the world's brightest and most thought-provoking data privacy thought leaders to inspire and empower you to unleash your best to thrive as a Data Privacy Professional.

If you're ambitious, driven & highly motivated, and thinking about a career in Data Privacy, a rising Privacy Pro or an Experienced Privacy Leader this is the podcast for you.

Subscribe today so you never miss an episode or important update from your favourite Privacy Pro.

And if you ever want to learn more about how to secure a career in data privacy and then thrive, just tune into our show and we'll teach you everything there is to know!

Listen now and subscribe for free on iTunes, Spotify or Google Play Music!

Subscribe to the newsletter to get exclusive insights, secret expert tips & actionable resources for a thriving privacy career that we only share with email subscribers https://newsletter.privacypros.academy/sign-up

About your host

Profile picture for Jamal Ahmed FIP CIPP/E CIPM


Jamal Ahmed is CEO at Kazient Privacy Experts, whose mission is safeguard the personal data of every woman, man and child on earth.

He is an established and comprehensively qualified Global Privacy professional, World-class Privacy trainer and published author. Jamal is a Certified Information Privacy Manager (CIPM), Certified Information Privacy Professional (CIPP/E) and Certified EU GDPR Practitioner.

He is revered as a Privacy thought leader and is the first British Muslim to be awarded the designation "Fellow of Information Privacy’ by the International Association of Privacy Professionals (IAPP).