With the General Data Protection Regulation (GDPR) now enforceable, Nigel Peers, Security and Risk Management Consultant at NW Security Group, looks at how the education sector is fairing in the new data protection landscape
The GDPR deadline has now passed, meaning schools, colleges and universities that remain non-compliant with the new regulation are at risk of large fines and reputational damage. While it is reassuring that the Information Commissioner’s Office (ICO) has said that it won’t immediately clamp down on organisations if they’re working towards putting the right data protection measures in place, it was concerning to find in a recent NW Security Group survey that only 22% of educational facilities believe they are compliant. Clearly, more work is needed for many establishments to make the grade.
The principle behind the GDPR is a good one. It’s been developed to simplify and strengthen the protection of an individual’s personal data, giving them more knowledge of how their Personally Identifiable Information (PII) is used. That is why we believe its implementation should be welcomed by educational institutions, especially considering the dramatic increase in data breaches in recent times. Whether via cyber-attacks, accidental loss or poor data protection policies, ICO figures highlight that in Q3 2017 96 breaches were recorded, up 68% on the previous quarter.
Would you ignore a data breach?
One of several worrying findings from our survey was that 14% of respondents advised, when made aware of a data breach, they would completely ignore any issues in the hope they would resolve themselves. Only 63% stated they would inform the relevant stakeholders. Clearly the education sector isn’t fully aware of its GDPR obligations, but this is something that could be simply addressed.
At NW Security Group, we first became aware of the issues around GDPR compliance while undertaking Organisational Compliance Assessments (OCAs) to help educational institutions meet their data protection obligations. An essential tool for schools, colleges and universities to identify any gaps in their procedures, an OCA should act as an organisation’s first step in mapping out their journey to compliance. Once a roadmap has been set out, it can begin to identify data protection failings, and outline what can be done to remedy these.
Greater training regarding privacy by design needed
A key component to facilitate GDPR compliance is educating staff regarding the principles of ‘privacy by design’. This approach ensures data protection is at the heart of any project from the outset and includes developing robust privacy policies or strategies, and using data for new purposes. As an educational facility’s first line of defence, employees, from teachers to administrative staff, must be aware of such processes and policies. This will better enable them to operate in a secure manner, as well as correctly identify and respond to a threat.
However, our survey found that 31% of respondents didn’t feel their employees and contractors were adequately trained in data protection. Furthermore, many facilities believed their processes were up to scratch when the reality was very different. For example, 78% respondents believe their facility actively promotes robust access control, yet in an emergency, 16% didn’t think they could produce a list of people on site. This highlights that poor documentation is one of the key areas holding education establishments back, confounded by the finding that 70% of respondents didn’t think they would be able to evidence the necessary documentation if they fell victim to a breach. It is clear then that further training is essential in this area.
While it is unlikely that the ICO will come knocking on your door with a nasty fine in the very near future, educational institutions should be focused on making progress towards GDPR compliance. There’s still time to act – not only to protect staff and students, but also to ensure an establishment’s reputation isn’t tarnished by a data breach or fine.
There’s nothing to hold you back. External experts are there to help you traverse the road to full compliance, offering everything from OCAs and professional training through to assistance in establishing sound processes and procedures, plus the support of an external data protection officer (DPO).
Our latest whitepaper, entitled ‘The GDPR: Is your school, college or university compliant?’, details how the education sector is getting to grips with the GDPR and offers best-practice advice to help your institution work towards compliance. Download the whitepaper here: https://www.nwsystemsgroup.com/gdpr-education-compliant.
About NW Security Group
Established in 2004, NW Security Group provides bespoke, all-encompassing security solutions that safeguard your daily operations. We combine technical expertise, consultancy and training to minimise risk and protect your people, assets and data. By working closely with you to tailor services that meet your exact requirements, we offer peace of mind and deliver long-term investment protection.