Reviewing the countdown to GDPR

UK Universities spent just over half a million pounds preparing for the EU General Data Protection Regulation (GDPR), according to researchers at the Parliament Street think tank. The body surveyed UK universities asking for information on budget and resource allocations to implement the new data protection legislation, which has been enforceable as of May 25. 

The research follows the disclosure that the University of Greenwich has been fined £120,000 by the Information Commissioner after a security breach in which the personal data of 19,500 students was placed online. 

Of the universities that responded to the request for information, a total of £640,885 was disclosed for GDPR preparations. 

Cranfield University topped the list, spending £157,781 on staff, training and legal costs. This was followed by Edinburgh Napier University, which said it was spending £83,940.40 on a governance and compliance course, information services for staff, a GDPR practitioners training course, an e-learning module and the procurement of a GDPR toolkit. 

University College London said it was spending £83,238 on project management, training and third party legal services. Kingston University disclosed spending of £81,500 on staff training consultants, while Bournemouth university spent £64,199 on staff and IT training.  

At the bottom of the list was Heythrop College, University of London, which spent £1,462 on staff training. Liverpool John Moores university spent £1,618 on external training, and Canterbury Christ Church University spent £2,854.80 on staff training.  

“The research follows the disclosure that the University of Greenwich has been fined £120,000 by the Information Commissioner after a security breach in which the personal data of 19,500 students was placed online.” 

Jason Tooley, Board Member, TechUK said: “GDPR is a regulatory minefield for universities, which are tasked with managing complex data, including personal details of students, marketing of courses and processing applications from all over the world. Mishandling of this information will lead to severe financial penalties and, in order to prevent this, staff need to be trained on how to adhere to the new data rights of students and be fully aware of the rules associated with this legislation. 

There are no quick fix solutions for implementing the GDPR. Adapting to it means driving cultural change within the organisation about how information should be stored, managed and used in all circumstances. Failure to take appropriate action will leave higher education institutions at risk of breaching the guidelines and losing trust with students.” 

Peter Irikovsky, CEO, Exponea, said: “It is likely that these spending figures are a mere snapshot of a much larger financial commitment in the higher education sector, running into several million pounds. It’s clear that GDPR poses a major challenge for universities, which oversee extremely complicated data sets including applications, correspondence and private financial information of people from all over the world. The reality is that extra spending on this legislation is a drain on resources, so it’s vital that organisations ensure all support is GDPR certified from the outset.”  

The league table of GDPR expenditure: