Nigel Peers, Security & Risk Management Consultant at NW Security Group, looks at the lay of the land since the GDPR enforcement, discussing how schools can gain & maintain compliance…
With months of speculation behind us regarding the many complexities and intricate details of the EU General Data Protection Regulation (GDPR), the conversation has now shifted from raising awareness of the practicalities of its implementation, to giving actionable advice that will help schools, colleges and universities achieve and maintain compliance.
It’s been almost two months since the May 25th deadline passed, and while the Information Commissioner’s Office (ICO) has given reassurances that it isn’t going to start immediately handing out large fines to every school that remains non-compliant, it is important that facilities can show a desire to adhere to the regulation to protect staff and students’ data.
That is because breaches within the sector are continuing to soar. In 2017 data breaches rose an astounding 103% compared to the previous year – schools, colleges and universities must do all they can to not become the next statistic. The concern is only exacerbated by the recent finding that only 16% of educational institutions currently realise they’ve fallen foul of a data breach. This begs the question; do they have the internal awareness to identify what a breach is?
Improved training is clearly paramount. In our conversations with schools post-GDPR, two queries are commonly raised regarding how the new legislation will impact schools, colleges and universities. Firstly: ‘do we have a lawful basis for storing data?’; and secondly: ‘should we appoint a Data Protection Officer (DPO)?’. As the guardians of confidential and private information regarding both students and staff, it is important that facilities quickly get up to speed on how the legislation may affect them. These are our top tips to help navigate the journey to compliance:
What is a lawful basis for storing data?
The first question educational institutions have been pondering is: what is a lawful basis for storing data and do we have it? When it comes to data collection and storage, all institutions must have a lawful basis to record Personally Identifiable Information (PII). Anything that can identify an individual is classed as PII, whether that be physical or cyber, so schools, colleges and universities must take a close look at the data being stored and ensure they do have the right to do so.
A lawful basis includes contractual uses, compliance with legal obligations, and the interest of the data subject – such as safeguarding welfare. It is also important to keep in mind that PII stored for marketing purposes, such as e-mail marketing databases, can only be stored with the consent of the data owner, which must be given freely and kept up-to-date.
To achieve compliance, the lawful basis for processing data should also be identified and documented within a school by updating its privacy policy and notices. Undertaking such an audit might sound like a daunting prospect but doing so will clean up databases and ensure consent to store and process PII is gained going forward. This is important as it has been our experience that, while many institutions believe they are protecting PII and have effective policies in place, these haven’t been documented adequately, leading to non-compliance.
Do I need to appoint a DPO?
The second area of uncertainty among many educational facilities is whether it’s necessary to appoint a Data Protection Officer (DPO). This has been a grey area for many educational institutions, as the GDPR states a DPO must be appointed by all public authorities and any organisation carrying out systematic monitoring of individuals on a large scale.
It’s open to interpretation whether schools and academies fit these criteria, but the need for somebody to take responsibility for data protection is clear. This is because our recent survey found that 70% of respondents didn’t think they could evidence that the correct procedures were in place if they fell victim to a breach. Furthermore, over half (51%) of those responsible for the administration of an access control system were found to be not trained in data protection.
Best practice would be to appoint somebody to take responsibility for ensuring compliance, but the issue for many is then who to appoint, as a DPO must have the right skills and experience. This can present quite a challenge for many schools, because guidance states that the position cannot be filled by someone with a conflict of interest, ruling out those who work within the school in a senior management role or closely with the data being stored or processed. Perhaps that is why our report found that 22% of respondents already outsource their DPO to an external expert. This is a logical solution and one that we would recommend – as such it’s a figure we expect to rise.
It’s important to highlight that there is still time to get it right. GDPR compliance may seem like a regulatory burden, but it has given the education sector a great opportunity to ensure their security procedures are fit for purpose, and the PII of staff and students won’t end up in the wrong hands.
Expert GDPR support is available from qualified practitioners who can help you every step of the way as you overhaul your data protection practices. For information on the security consultancy and training services we can provide, visit: nwsystemsgroup.com
Nigel Peers, a qualified Data Protection Practitioner with full teacher training status, brings vast strategic security expertise as a previous co-founder of a successful workplace compliance training company, responsible for security site surveys, vulnerability assessments and Security Industry Authority (SIA) training courses. Working in close partnership with board and trustee-level stakeholders, Nigel is responsible for helping organisations understand the latest regulations and ensure risks, threats and vulnerabilities are correctly identified. Through strategic planning support, Nigel optimises security solution delivery from mitigation to implementation, risk and incident management to business continuity and recovery.
About NW Security Group
Established in 2004, NW Security Group provides bespoke, all-encompassing security solutions that safeguard your daily operations. We combine technical expertise, consultancy and training to minimise risk and protect your people, assets and data. By working closely with you to tailor services that meet your exact requirements, we offer peace of mind and deliver long-term investment protection.