Data security and best practice for GDPR
David T. Blonder, DPO at BlackBerry, discusses how schools and universities can work to ensure vigilance in the face of GDPR for the new academic year
With the education sector battling funding cuts the Department for Education has advised schools to address the shortfall by being as cost-effective as possible. Whether it’s changing stationery suppliers, finding cheaper utility providers, or simply reducing headcount – school leaders are having to ensure that they’re not only providing the best education for students, but that they’re smarter with budgets too. The General Data Protection Regulation (GDPR), which came into effect on May 25 this year is only adding to the pressure. There has been a lot of hype and discussion surrounding the regulation, but most of it relates to the potentially eye-watering fines, of up to £17m, that huge corporations could face should they fall foul of the regulations. While less has been said about the education sector we cannot downplay the fact that institutions pressured to cut costs can’t afford to receive fines associated with GDPR. The need to take steps to ensure compliance and safeguard the data of young people is also a necessity, as it carries some of the most sensitive Personally Identifiable Information (PII) data on children and students.
Act now to mitigate risk
It’s expected that most GDPR fines will come as a result of poor data protection and breaches of confidentiality, and therefore school administrators should be provided with training to understand what data they hold, how it is owned or used, and where it is stored. Knowing this will help to identify the gaps that exist and understand what robust controls should be in place to manage the data. Implementing this process will allow the school to document every data decision in the style of an audit trail, which will become essential should they be asked to prove compliance.
This best practice is one that all organisations should carry out at regular intervals to ensure that gaps in compliance have not opened up as systems evolve. However, managing data protection in the education sector is very different to the corporate world, as schools have a natural cycle of PII that will become redundant as pupils graduate or move on from school. A process should be implemented to ensure that data which is no longer required is removed, while still taking other industry regulations and acts into account. For example, the Children & Social Work Act 2017 requires all students who received care to receive support from a personal adviser (PA) until they reach the age of 21, and so there is reason for that data to be held for a longer period.
Education establishments should also be vigilant about shadow IT, with unapproved resources, such as interactive classroom apps being downloaded to the network which could present risks. Teachers are naturally focused on providing the best education they can to their students and may feel justified in sourcing material from as wide a range of source as possible, regardless of technology policies. They may not recognise the risk some of these workarounds can create for data privacy, but regular training and information on the need for compliance will help to control how data is being created and used, and therefore make compliance easier.
Advice from an ethical hacker
If processes have been put in place to address GDPR, but school administrators remain unsure whether the school is GDPR compliant, an ethical hacker could be strategically used to expose potential flaws in data protection. There is no one-size-fits-all approach. Each educational organisation is different and will require a compliance practice to fit its particular tools and processes. This is where an ethical hacker can make all the difference. Their goal is to ensure the institution’s data is secure and defend systems by mimicking the efforts of real-world hackers. They can detect and document potential GDPR risks and advise on actionable insight into how the organisation can overcome the issues. The ethical hacker can also take the lead to provide training for teachers. By using the same tactics and tools used by malicious hackers, they can ‘con’ employees over email and scan their network for vulnerabilities and information they’ve downloaded to alert them of the data protection violations they could be facing. While this technique may seem invasive, it often highlights vulnerabilities that a check-box approach simply can’t. The more hands-on nature of the exercise also helps teachers and administrators gain a better understanding of the risks involved when storing and sharing data, as well as making them accountable to GDPR weaknesses.
Understanding educational data
For GDPR compliance to be successful, processes need to align with how an organisation already operates, rather than making fundamental wholesale changes – such an upheaval would create unmanageable workloads and leave the regulation not being adopted. Compliance should focus on what the school is already doing, identify gaps, and implement updates to procedures to match the requirements of the GDPR. Institutions should also note that some data within education does not fall under GDPR, as it is mandatory for the establishment to function. For example, consent would not need to be obtained to process data that the school provides to the Department for Education, as part of the census, as this is a legal obligation. However, consent would need to be obtained when the school wishes to collect parents’ email addresses if they want to send emails to them, as there is no specifically articulated lawful basis to process this data without obtaining consent. Having clear processes and training in place to ensure data is protected adequately but legal obligations are not hampered is critical to successful compliance.
With GDPR in force and headlines reporting on how many organisations have not yet fully prepared, now is the time for schools to take action on being compliant, as well as sustain ongoing data protection best practice. If a breach incident does occur that results in an unlawful disclosure of PII, the ICO is likely to favour a school that has demonstrated its efforts to take their responsibilities under GDPR seriously and done all that’s expected to protect the personal data of their students.
For more on BlackBerry, visit blackberry.com