GDPR two months on: best-practice tips to help the education sector achieve compliance
Nigel Peers, Security & Risk Management Consultant at NW Security Group, looks at the lay of the land since the GDPR enforcement, discussing how schools can gain & maintain compliance… With months of speculation behind us regarding the many complexities and intricate details of the EU General Data Protection Regulation (GDPR), the conversation has now shifted from raising awareness of the practicalities of its implementation, to giving actionable advice that will help schools, colleges and universities achieve and maintain compliance. It’s been almost two months since the May 25th deadline passed, and while the Information Commissioner’s Office (ICO) has given reassurances that it isn’t going to start immediately handing out large fines to every school that remains non-compliant, it is important that facilities can show a desire to adhere to the regulation to protect staff and students’ data. That is because breaches within the sector are continuing to soar. In 2017 data breaches rose an astounding 103% compared to the previous year – schools, colleges and universities must do all they can to not become the next statistic. The concern is only exacerbated by the recent finding that only 16% of educational institutions currently realise they’ve fallen foul of a data breach. This begs the question; do they have the internal awareness to identify what a breach is? Improved training is clearly paramount. In our conversations with schools post-GDPR, two queries are commonly raised regarding how the new legislation will impact schools, colleges and universities. Firstly: ‘do we have a lawful basis for storing data?’; and secondly: ‘should we appoint a Data Protection Officer (DPO)?’. As the guardians of confidential and private information regarding both students and staff, it is important that facilities quickly get up to speed on how the legislation may affect them. These are our top tips to help navigate the journey to compliance: What is a lawful basis for storing data? The first question educational institutions have been pondering is: what is a lawful basis for storing data and do we have it? When it comes to data collection and storage, all institutions must have a lawful basis to record Personally Identifiable Information (PII). Anything that can identify an individual is classed as PII, whether that be physical or cyber, so schools, colleges and universities must take a close look at the data being stored and ensure they do have the right to do so. A lawful basis includes contractual uses, compliance with legal obligations, and the interest of the data subject – such as safeguarding welfare. It is also important to keep in mind that PII stored for marketing purposes, such as e-mail marketing databases, can only be stored with the consent of the data owner, which must be given freely and kept up-to-date. To achieve compliance, the lawful basis for processing data should also be identified and documented within a school by updating its privacy policy and notices. Undertaking such an audit might sound like a daunting prospect but doing so will clean up databases and ensure consent to store and process PII is gained going forward. This is important as it has been our experience that, while many institutions believe they are protecting PII and have effective policies in place, these haven’t been documented adequately, leading to non-compliance. Do I need to appoint a DPO? The second area of uncertainty among many educational facilities is whether it’s necessary to appoint a Data Protection Officer (DPO). This has been a grey area for many educational institutions, as the GDPR states a DPO must be appointed by all public authorities and any organisation carrying out systematic monitoring of individuals on a large scale. It’s open to interpretation whether schools and academies fit these criteria, but the need for somebody to take responsibility for data protection is clear. This is because our recent survey found that 70% of respondents didn’t think they could evidence that the correct procedures were in place if they fell victim to a breach. Furthermore, over half (51%) of those responsible for the administration of an access control system were found to be not trained in data protection. Best practice would be to appoint somebody to take responsibility for ensuring compliance, but the issue for many is then who to appoint, as a DPO must have the right skills and experience. This can present quite a challenge for many schools, because guidance states that the position cannot be filled by someone with a conflict of interest, ruling out those who work within the school in a senior management role or closely with the data being stored or processed. Perhaps that is why our report found that 22% of respondents already outsource their DPO to an external expert. This is a logical solution and one that we would recommend – as such it’s a figure we expect to rise. It’s important to highlight that there is still time to get it right. GDPR compliance may seem like a regulatory burden, but it has given the education sector a great opportunity to ensure their security procedures are fit for purpose, and the PII of staff and students won’t end up in the wrong hands. Expert GDPR support is available from qualified practitioners who can help you every step of the way as you overhaul your data protection practices. For information on the security consultancy and training services we can provide, visit: nwsystemsgroup.com Nigel Peers, a qualified Data Protection Practitioner with full teacher training status, brings vast strategic security expertise as a previous co-founder of a successful workplace compliance training company, responsible for security site surveys, vulnerability assessments and Security Industry Authority (SIA) training courses. Working in close partnership with board and trustee-level stakeholders, Nigel is responsible for helping organisations understand the latest regulations and ensure risks, threats and vulnerabilities are correctly identified. Through strategic planning support, Nigel optimises security solution delivery from mitigation to implementation, risk and incident management to business continuity and recovery. About NW Security Group Established in 2004, NW Security Group provides
How will GDPR affect schools? UCL data expert tells heads how to prepare
UCL’s Nathan Lea tells our editor Victoria Galligan about how the incoming General Data Protection Regulation (GDPR) will have an impact on schools and what can be done to prepare for the new regime, which comes into force on May 25th… How will GDPR affect the way primary and secondary schools use data overall? The General Data Protection Regulation (GDPR) places a far greater emphasis on transparency with data subjects and indeed their guardians around how data is used. It is likely that schools will need to make their uses of data clearer to parents and guardians, who will be able to ask questions and seek clarifications according to updated and new provisions enshrined in the rights for the individual component of the GDPR. The legal bases upon which data is processed are also being modernised, but where a school is processing data pursuant to an established purpose enshrined in law, it is unlikely to change much, though the new legal bases have been developed to support existing and proposed data use more clearly. It would be important for schools to think about how the six legal bases and additional provisions for special category data (including that related to health and biometrics) will relate to their purposes, but they must be very clear on purpose – why and how you’re collecting and using the data. Where the purpose is unclear, it will need to be clarified or amended to bring it into line with GDPR. Schools in particular should pay particular attention to age at which parental consent for data processing is likely to change. Currently it looks as though the age will be 13 years old across the UK, however they should take extra care in how they interpret it, engage with students and parents, and proceed on their legal team’s and Data Protection Officer’s (DPO) advice. In short, provided schools are clear on purposes for data use, the legal bases for these, are transparent about their processing and are able to be accountable for the processing and protection of data, they should find that their uses will be supported and may not need to change very much. For any new uses they are planning, they will need to perform a Data Protection Impact Assessment in line with the Information Commissioner’s Office’s recommendations. What measures should staff be taking to ensure they comply with GDPR in schools? It is important to take any training that their school is providing for them, and these should be mandatory courses. If staff are unclear, they should seek advice from their data protection officers – it is likely that schools will either have one or share one with other schools in the area. If anyone is unsure, they should seek clarification about what they are expected to do when it comes to data handling and use – it’s important to think about how they currently handle data, for example checking work emails on mobile devices – it is likely these policies will need to be updated and that new policies will be available. But in general, greater care in the handling of data and liaison with the DPO with regards training and good and/or required practice will be vital to ensure compliance. Is the introduction of GDPR in schools going to be a costly process? The biggest “cost” will likely be culture change fuelled by a greater need for awareness about what data is being handled and how. Safe handling of data will need to be much more of a priority and whilst the fines for improper use will be higher, the reputational cost will be even more if something goes wrong where it might have been avoided. Furthermore, certain breaches need to be reported to the ICO within 72 hours of discovery, so schools will need to make sure they have an information risk, security and management process in place, key to which of course is their Data Protection Officer and IT management groups. However this is an important opportunity for schools to really think about what data they are processing, how they are doing so, whether they need to and how they can do it safely. Do heads need to hire data experts to ensure they meet GDPR in schools? It will be very hard to declare that GDPR compliance is being met from day one as nobody knows what that looks like in practice and will not for some time as mistakes are made and cases are pursued by the Information Commissioner or courts. It would not hurt to hire experts to help give an indication of where schools need to improve their data handling processes, but it will be important to provide awareness raising training and education to all staff so that they are clearer on what good practice looks like. Schools should have the required officers in place, including an appropriate DPO. But the decision about hiring a data expert should reside with the head, their IT management groups and their data protection officer. Can schools still use old data (pre-GDPR) for marketing and fundraising purposes? It would depend on the basis upon which the data was originally collected and if it were clear to the data subject that their data would be used in the way that it is proposed moving forward. Schools should look at the legal bases and make sure that they meet the consent requirements for handling contact data: were the purposes clearly identified? Was the consent a positive action and freely given? For example, did the school ask people to tick a box to say they had consented to having their contact details used for marketing or fundraising purposes? Or if people had to untick a box or were told that the data would be used and did not give them a choice in the matter, this is unlikely to meet the test for consent that GDPR now requires). Schools should seek advice from their DPO, legal teams about this point in particular and