Fewer than half of UK schools believe they are GDPR compliant


New research findings released today by RM Education and Trend Micro shows fewer than half of UK schools and colleges (48%) believe that they are fully GDPR compliant. Plus, there remains confusion over staff responsibility in terms of GDPR compliance.  Last year 156 education professionals were surveyed about how practices and systems have changed since the arrival of GDPR in May 2018 and their ongoing concerns about the legislation. Key findings from the research include: ·Half of schools believe that they are in breach of the regulations – 52% of schools surveyed did not think they are GDPR compliant. In addition, 14% of schools still do not have a strategy in place to become GDPR compliant. ·Fines would have severe impact – Almost four-fifths of schools and colleges (79%) stated they would be significantly affected by any fine for not complying with GDPR. 65% said a data breach would significantly impact their reputation. ·Staff are considered the biggest risk – ‘Accidental loss by staff’ is considered the biggest data threat (75%) followed by cyber criminals (19%). Respondents were from schools and colleges across the UK and included IT Managers, Data Protection Officers (DPOs) and other school leaders. Just 48% of respondents stated that they believed their school/college to be fully GDPR compliant. In terms of reasons for lack of compliance 23% stated legacy systems as a challenge, 46% stated security awareness and 31% stated lack of financial investment. However, the research suggests that schools and colleges are taking GDPR seriously and significant steps have been taken to work towards trying to ensure compliance. Of those surveyed 97% of schools and colleges had updated their policies, 89% had increased staff training, 85% hired a DPO and 83% carried out a data audit (including third-party systems). Furthermore, 38% of those surveyed had increased their IT spend as part of becoming GDPR compliant. When surveyed about the possibility of a data breach 77% of respondents stated they were confident that their school/college was as secure as it could be against a data breach. However, just over two third of schools (71%) surveyed had a formal data breach response plan in place. In terms of what respondents considered to be the biggest threats to their data 19% stated cyber criminals and 75% said accidental loss by staff. Steve Forbes, Principal Product Manager at RM Education comments: “From our work with thousands of schools across the UK we know that untangling the intricacies of GDPR has been a great concern for education providers. One surprising finding is that 91% of schools and colleges surveyed stated that they knew where all their data resides. Schools and colleges process large quantities of data on their pupils, staff and suppliers, and it’s likely that data is in more places than perhaps thought. We will continue to support schools to help them identify these data sources and implement the right cyber defences to protect data both inside and beyond the school’s gates.” Forbes continues, “The survey has uncovered some interesting findings, and highlights the challenges that schools are facing today. There is some confusion in terms of roles and responsibilities in schools when it comes to GDPR. 60% of those surveyed said final responsibility for GDPR sits with the Principal/ Head Teacher, 42% said the responsibility also sits with the DPO and 31% said responsibility also lies with the head of IT. GDPR compliance does not sit with one role alone; and the responsibility for compliance is shared. A DPO is tasked with monitoring GDPR compliance and other data protection laws and policies, awareness-raising, training, and audits. However, as in all other organisations, responsibility for compliance within a school must be a shared responsibility and this relies on a whole school approach”. Download the full report at rm.com/GDPR-in-schools    

Why cybersecurity needs to be a priority for the education sector

Adrian Jones from Swivel Secure on cybersecurity

Adrian Jones, CEO at Swivel Secure Education institutions need to make cybersecurity a priority. Despite the sector facing major challenges such as a lack of staffing and a lack of funding and resources, cyber attacks are no less frequent or less severe in education. In fact, they seem to be gaining ground in prevalence year-on-year as instances of breaches in schools and higher education are widely reported. In recent years we’ve seen news of ransom attacks causing financial damage – like that on the University of Calgary where the institution allegedly handed over $20k to cybercriminals, and malware attacks causing mass disruption – similar to the disruption which, apparently, caused the Minnesota School District to shut down for a day while IT professionals rebuilt the system. The more worrying breaches are where student safety is compromised. Educational institutions are entrusted to safeguard their students, many of whom are minors, but a weak cybersecurity infrastructure can put them at risk.   This was made all too clear when the CCTV in several schools in Blackpool was allegedly breached, and the footage reportedly live-streamed on the internet. It’s an unfortunate fact that, while cybersecurity in education is necessary to protect against financial loss and prevent disruption, it’s also crucial to protect students from harm. Which is why the sector needs to do everything it can to ensure their applications and systems are protected, and work to overcome any challenges. In this article, we’ll look at the current state of cybersecurity in education. We’ll discuss the most common reasons for attack, the highest threats and the main challenges facing the sector to help you understand why cybersecurity needs to be a priority, and how you can make it a priority for your educational institute. Why education is a target for cybercrime There are four key reasons why Education is a target for cybercriminals. With Education venues varying in size, purpose, and stature, the motives for attack can vary too. For example, what might be a common threat for world-renowned Universities/Colleges might not be an issue for schools or school districts. So, institutions need to evaluate the risk and understand what data is vulnerable to unauthorised access. DDoS attacks – Distributed Denial of Service, or DDoS attacks are a common type of attack on all levels of Education venue. This is where the attacker’s motive is to cause widespread disruption to the institute’s network, having a negative effect on productivity. This can be a relatively easy attack for amateur cybercriminals to carry out, especially if the target network is poorly protected. There have been instances of students or teachers successfully carrying out a DDoS attack, with motives ranging from simply wanting a day off, to protesting the way a complaint was handled. Data theft – This is another attack affecting all levels of education because all institutions hold student and staff data, including sensitive details like names and addresses. This type of information can be valuable to cybercriminals for several reasons, whether they plan to sell the information to a third party or use it as a bargaining tool and extort money. The concerning aspect of this type of attack is that hackers can go unnoticed for long periods of time. As was the case at Berkeley, where at least 160,000 medical records were allegedly stolen from University computers over a number of months. Financial gain – Another motive for hackers carrying out an attack on an education institution is for financial gain. This might not be as high a risk for public schools, but with private institutions and Universities/Colleges handling a large number of student fees, they’re a prime target for cybercriminals. Today, it’s usual for students or parents to pay fees via an online portal, often transferring large sums of money to cover a whole term or year of tuition. Without proper protection or preparation on the part of education institutions, this presents a weak spot for cybercriminals to intercept. Espionage – The fourth reason why education is a target for cybercrime is espionage. In the case of higher education institutes like Universities/Colleges, they’re often centres for research and hold valuable intellectual property. Universities/Colleges need to be suitably protected, as it’s thought that scientific, engineering and medical research by UK Universities has been previously compromised by hackers, and with plenty of time and money to fund them professionals are often at the helm of these attacks. With these four motives in mind, the way in which hackers carry out an attack on Education networks can further help us understand how to protect them. How education is targeted JISC’s 2018 Cybersecurity Posture Survey questioned IT professionals within further and higher education. They were asked to name the top cyber threats facing their institutions, and the top three answers give us insight into the most common ways Education networks are breached. Phishing – Phishing scams often take the form of an email or instant message and are designed to trick the user into trusting the source in a fraudulent attempt to access their credentials – whether that’s sensitive student data or confidential research. This type of attack is highlighted as the top threat facing higher education venues, suggesting hackers regularly target the sector using the method. Ransomware/Malware – Also in the top three cyber threats highlighted by the report, ransomware and malware attacks prevent users from accessing the network or files and cause disruption. More advanced forms of this threat can see attackers hold files to ransom. Ransomware or malware typically infects devices using a trojan, a file or attachment disguised to look legitimate. However, some ransomware (like the WannaCry attack) have been shown to travel between devices without user interaction. Lack of awareness – The third threat listed by professionals in both further and higher education is a lack of awareness or accidents. This could be on the part of staff or students who aren’t sufficiently trained to practice good cyber hygiene or accidentally compromise the network. Despite taking on different appearances,

GDPR two months on: best-practice tips to help the education sector achieve compliance

GDPR expert Nigel Peers of NW Security Group

Nigel Peers, Security & Risk Management Consultant at NW Security Group, looks at the lay of the land since the GDPR enforcement, discussing how schools can gain & maintain compliance… With months of speculation behind us regarding the many complexities and intricate details of the EU General Data Protection Regulation (GDPR), the conversation has now shifted from raising awareness of the practicalities of its implementation, to giving actionable advice that will help schools, colleges and universities achieve and maintain compliance. It’s been almost two months since the May 25th deadline passed, and while the Information Commissioner’s Office (ICO) has given reassurances that it isn’t going to start immediately handing out large fines to every school that remains non-compliant, it is important that facilities can show a desire to adhere to the regulation to protect staff and students’ data.  That is because breaches within the sector are continuing to soar. In 2017 data breaches rose an astounding 103% compared to the previous year – schools, colleges and universities must do all they can to not become the next statistic. The concern is only exacerbated by the recent finding that only 16% of educational institutions currently realise they’ve fallen foul of a data breach. This begs the question; do they have the internal awareness to identify what a breach is? Improved training is clearly paramount. In our conversations with schools post-GDPR, two queries are commonly raised regarding how the new legislation will impact schools, colleges and universities. Firstly: ‘do we have a lawful basis for storing data?’; and secondly: ‘should we appoint a Data Protection Officer (DPO)?’. As the guardians of confidential and private information regarding both students and staff, it is important that facilities quickly get up to speed on how the legislation may affect them. These are our top tips to help navigate the journey to compliance: What is a lawful basis for storing data? The first question educational institutions have been pondering is: what is a lawful basis for storing data and do we have it? When it comes to data collection and storage, all institutions must have a lawful basis to record Personally Identifiable Information (PII). Anything that can identify an individual is classed as PII, whether that be physical or cyber, so schools, colleges and universities must take a close look at the data being stored and ensure they do have the right to do so. A lawful basis includes contractual uses, compliance with legal obligations, and the interest of the data subject – such as safeguarding welfare. It is also important to keep in mind that PII stored for marketing purposes, such as e-mail marketing databases, can only be stored with the consent of the data owner, which must be given freely and kept up-to-date. To achieve compliance, the lawful basis for processing data should also be identified and documented within a school by updating its privacy policy and notices. Undertaking such an audit might sound like a daunting prospect but doing so will clean up databases and ensure consent to store and process PII is gained going forward. This is important as it has been our experience that, while many institutions believe they are protecting PII and have effective policies in place, these haven’t been documented adequately, leading to non-compliance. Do I need to appoint a DPO? The second area of uncertainty among many educational facilities is whether it’s necessary to appoint a Data Protection Officer (DPO). This has been a grey area for many educational institutions, as the GDPR states a DPO must be appointed by all public authorities and any organisation carrying out systematic monitoring of individuals on a large scale. It’s open to interpretation whether schools and academies fit these criteria, but the need for somebody to take responsibility for data protection is clear. This is because our recent survey found that 70% of respondents didn’t think they could evidence that the correct procedures were in place if they fell victim to a breach. Furthermore, over half (51%) of those responsible for the administration of an access control system were found to be not trained in data protection. Best practice would be to appoint somebody to take responsibility for ensuring compliance, but the issue for many is then who to appoint, as a DPO must have the right skills and experience. This can present quite a challenge for many schools, because guidance states that the position cannot be filled by someone with a conflict of interest, ruling out those who work within the school in a senior management role or closely with the data being stored or processed. Perhaps that is why our report found that 22% of respondents already outsource their DPO to an external expert. This is a logical solution and one that we would recommend – as such it’s a figure we expect to rise. It’s important to highlight that there is still time to get it right. GDPR compliance may seem like a regulatory burden, but it has given the education sector a great opportunity to ensure their security procedures are fit for purpose, and the PII of staff and students won’t end up in the wrong hands. Expert GDPR support is available from qualified practitioners who can help you every step of the way as you overhaul your data protection practices. For information on the security consultancy and training services we can provide, visit: nwsystemsgroup.com Nigel Peers, a qualified Data Protection Practitioner with full teacher training status, brings vast strategic security expertise as a previous co-founder of a successful workplace compliance training company, responsible for security site surveys, vulnerability assessments and Security Industry Authority (SIA) training courses. Working in close partnership with board and trustee-level stakeholders, Nigel is responsible for helping organisations understand the latest regulations and ensure risks, threats and vulnerabilities are correctly identified. Through strategic planning support, Nigel optimises security solution delivery from mitigation to implementation, risk and incident management to business continuity and recovery. About NW Security Group Established in 2004, NW Security Group provides

How will GDPR affect schools? UCL data expert tells heads how to prepare

GDPR comes into force on May 25th

UCL’s Nathan Lea tells our editor Victoria Galligan about how the incoming General Data Protection Regulation (GDPR) will have an impact on schools and what can be done to prepare for the new regime, which comes into force on May 25th… How will GDPR affect the way primary and secondary schools use data overall? The General Data Protection Regulation (GDPR) places a far greater emphasis on transparency with data subjects and indeed their guardians around how data is used. It is likely that schools will need to make their uses of data clearer to parents and guardians, who will be able to ask questions and seek clarifications according to updated and new provisions enshrined in the rights for the individual component of the GDPR.  The legal bases upon which data is processed are also being modernised, but where a school is processing data pursuant to an established purpose enshrined in law, it is unlikely to change much, though the new legal bases have been developed to support existing and proposed data use more clearly.  It would be important for schools to think about how the six legal bases and additional provisions for special category data (including that related to health and biometrics) will relate to their purposes, but they must be very clear on purpose – why and how you’re collecting and using the data. Where the purpose is unclear, it will need to be clarified or amended to bring it into line with GDPR.  Schools in particular should pay particular attention to age at which parental consent for data processing is likely to change.  Currently it looks as though the age will be 13 years old across the UK, however they should take extra care in how they interpret it, engage with students and parents, and proceed on their legal team’s and Data Protection Officer’s (DPO) advice. In short, provided schools are clear on purposes for data use, the legal bases for these, are transparent about their processing and are able to be accountable for the processing and protection of data, they should find that their uses will be supported and may not need to change very much. For any new uses they are planning, they will need to perform a Data Protection Impact Assessment in line with the Information Commissioner’s Office’s recommendations. What measures should staff be taking to ensure they comply with GDPR in schools? It is important to take any training that their school is providing for them, and these should be mandatory courses.  If staff are unclear, they should seek advice from their data protection officers – it is likely that schools will either have one or share one with other schools in the area. If anyone is unsure, they should seek clarification about what they are expected to do when it comes to data handling and use – it’s important to think about how they currently handle data, for example checking work emails on mobile devices – it is likely these policies will need to be updated and that new policies will be available. But in general, greater care in the handling of data and liaison with the DPO with regards training and good and/or required practice will be vital to ensure compliance. Is the introduction of GDPR in schools going to be a costly process? The biggest “cost” will likely be culture change fuelled by a greater need for awareness about what data is being handled and how.  Safe handling of data will need to be much more of a priority and whilst the fines for improper use will be higher, the reputational cost will be even more if something goes wrong where it might have been avoided. Furthermore, certain breaches need to be reported to the ICO within 72 hours of discovery, so schools will need to make sure they have an information risk, security and management process in place, key to which of course is their Data Protection Officer and IT management groups.  However this is an important opportunity for schools to really think about what data they are processing, how they are doing so, whether they need to and how they can do it safely. Do heads need to hire data experts to ensure they meet GDPR in schools? It will be very hard to declare that GDPR compliance is being met from day one as nobody knows what that looks like in practice and will not for some time as mistakes are made and cases are pursued by the Information Commissioner or courts. It would not hurt to hire experts to help give an indication of where schools need to improve their data handling processes, but it will be important to provide awareness raising training and education to all staff so that they are clearer on what good practice looks like.  Schools should have the required officers in place, including an appropriate DPO. But the decision about hiring a data expert should reside with the head, their IT management groups and their data protection officer. Can schools still use old data (pre-GDPR) for marketing and fundraising purposes? It would depend on the basis upon which the data was originally collected and if it were clear to the data subject that their data would be used in the way that it is proposed moving forward.  Schools should look at the legal bases and make sure that they meet the consent requirements for handling contact data: were the purposes clearly identified? Was the consent a positive action and freely given? For example, did the school ask people to tick a box to say they had consented to having their contact details used for marketing or fundraising purposes? Or if people had to untick a box or were told that the data would be used and did not give them a choice in the matter, this is unlikely to meet the test for consent that GDPR now requires).  Schools should seek advice from their DPO, legal teams about this point in particular and

Five GDPR Myths Debunked


Living in an increasingly digital world has brought about undeniable changes to our lives.    One of the consequences of this is the amount of data we all share, including many of our personal details. Medical professionals, retailers, insurers and numerous other service providers all hold personal data, some of which is highly sensitive.   However, the way our data is used isn’t always clear and nor can we be sure it is being kept secure. The new General Data Protection Regulation (GDPR) the EU is introducing next May aims to tackle this by creating new rules to keep data safe. It will also give people greater control over how their personal data is used.   While many organisations are now aware of the legislation, they are not as clear about the precise impact it will have on them and what new data practices they need to adopt. What’s more, there is no shortage of conjecture on the subject. So, Sam Reed, a certified GDPR Practitioner and the Chief Technology Officer at AirIT, is going to clarify the truth behind some of the myths circulating. Myth – It’s not relevant to the UK because of Brexit.   Reality     Because the legislation is being introduced while Brexit is being negotiated, some believe it won’t apply to the UK. Others believe it will only apply until March 2019, when we are due to leave the EU.   In fact, the legislation will apply to anyone who offers services to EU citizens, regardless of where you are based. Even if you don’t handle EU citizen’s data, you will still have to adhere to new data protection laws being introduced to the UK. The government says the proposed changes, which have already been detailed in a Data Protection Bill, will incorporate GDPR’s rules. They are doing this to help Britain prepare for a successful Brexit.   The new UK law will replace the 1998 Data Protection Act and aims to make the UK fit for the digital age. ​​​​​​​ Myth – There isn’t enough clear information on consent available to start preparing.   Reality    One of the changes GDPR will make is raising the standards for getting consent to use people’s data.    Some organisations believe they should wait for the Information Comissioner’s Office to issue their final guidance on consent before they make any changes but this isn’t necessary.    The ICO says it is waiting for Europe-wide consent guidelines to be published, so they can offer consistent guidance. In the meantime, they have given draft consent guidance which they don’t expect to change much when they publish the formal guidance.    The guidance given includes obtaining explicit consent, naming third parties who will rely on the consent, and making it easy for people to withdraw consent. An important point to clarify is that you don’t always need consent. For example, banks sharing data for fraud protection, or local authorities processing council tax information, can use a different lawful basis to consent. .  Myth – It is going to put an unfair burden on businesses.   Reality     There are some who feel GDPR is putting undue pressure on businesses to change their working practices, or risk a hefty fine.    However, the ICO has pointed out that the new higher fines being quoted are the maximum allowed and will not be routine. They say fines will remain a last resort and will be issued proportionately. So, those concerned that the maximum fine of £17 million, or 4% of turnover, will be imposed simply to set an example early on need not worry.   Rather than putting undue pressure on businesses, I believe the new legislation offers the ideal opportunity to review your data and ensure it is up to date. So, in the end, you may end up with less data but it will be of a better quality.    It is also a good opportunity to review your cyber security measures because new threats are constantly emerging and can affect business of all sizes. Some small businesses mistakenly believe they are unlikely to be targeted.    However, according to the Federation of Self Employed and Small Businesses (FSB), cyber crime is one of the fastest growing risks to small businesses. An FSB report found that 19,000 cyber crimes are committed against small businesses in the UK every day. While a government report estimates that the average cost of a breach to a small business is £3,100.   Making sure you have robust cyber security measures in place is wise, regardless of the legislation. The National Cyber Security Centre gives 10 steps you can take to protect yourself.  Rather than hampering the ability of businesses to use data, GDPR may make people more willing to share their data because of the new security standards. ICO research shows that people “would be more willing to provide their data, and for different uses, if they felt they could trust organisations to handle it fairly, securely and responsibly.”   Myth – GDPR is going to revolutionise the way we handle and use data.    Reality     There is currently so much hype surrounding GDPR, it is easy to believe it is going to completely change how we use data. But the ICO is keen to point out the new law is “an evolution not a revolution”.    The new law will keep many of the same principles as the current data laws and simply build on these.    Those who follow the current data protection laws are already likely to be in a good place. They now simply need to review and update their current procedures, which won’t just keepthem on the right side of the new law but will benefit them too.   Myth – Everyone needs to appoint a Data Protection Officer.   Reality     There is also some concern that every organisation now has to appoint a data protection officer. The DPO is meant to be the data protection expert in an organisation. Although many organisations will need a DPO, including small businesses, everyone doesn’t need to appoint one.    Under