Navbar button The Headteacher

New EU Data Protection Regulations – What Schools Need To Know About GDPR

September 26, 2017, 3:23 GMT+1
Read in 7 minutes
  • We hear what schools can do to keep their data secure, and why they should start preparing now for the arrival of the EU’s GDPR law...
New EU Data Protection Regulations – What Schools Need To Know About GDPR

“Make sure you know where your data is stored”

– Andrew williams, information security and online safety consultant for SWGfL

Data has come to occupy the centre of our world. Every day we rely on computer technology and internet connections to deliver vital services and information – but if something goes wrong, how long will it take you to resolve the issue?

Broadly speaking, cyber security threats will fall under one of the following categories:

• Non-malicious

Issues that stem from user error, carelessness or lack of knowledge and training

• Malicious

Problems that are the result of deliberate actions on the part of others; such as fraud, sabotage, cyber-crime and phishing, among others

• Technology specific vulnerabilities

These will be caused by defective or ageing software, hardware and networking equipment

• Man-made threats

Severe issues arising from civil disorder, warfare, terrorist attack and other such incidents

• Natural threats

Equipment failure, damage or connection issues caused by earthquakes, flooding, fire and so forth

To help secure its data, every school will employ a variety of technologies, policies, infrastructure approaches and contractual relationships.

Your school may well have a disaster recovery plan, but these can sometimes overlook your data and might never have been tested. If your system goes down and you discover a problem with your back-up, you’ll have no way of accessing your school’s core information.

However, there are some things that everyone can do to improve their organisation’s standards of data protection. A 2016 report produced by SWGfL and Plymouth University showed that schools recorded staff training as a consistently weak aspect of their online safety policies – despite staff having access to sensitive data about children – and often required regular training to re-enforce the importance of good data protection procedures.

First off, then, make sure you know where your data is stored. Then ask your staff if they know. If you know what data belongs where, you can start to control and contain the potential threats. Adopt a clear data protection policy, and ensure your staff know what their obligations are and how to perform them – this can be an invaluable help in protecting your data later down the line.

Encourage staff to use strong passwords. Use antivirus and malware applications and keep them updated. Monitor and log any apparent hacking attempts, and use data encryption where appropriate – all these are vital. Retain a good technology partner that’s supportive and responds to requests promptly. If you don’t, maybe rethink how much of your budget should go towards one.

You can avoid a lot of stress and headaches later on by developing an appropriate incident management plan and response process. Make sure that this includes data loss scenarios – and don’t forget that the importance of a carefully considered back-up routine can’t be over-emphasised. Finally, consider taking out a cyber risk insurance policy.

Check that the policy will provide sufficient cover to meet your requirements and be sure to use a large, reputable firm.

South West Grid for Learning (SWGfL) is a charitable trust providing connectivity services and learning technologies to schools and other organisations; visit swgfl.org.uk or follow @SWGfL_Official

“GDPR can’t be ignored”

– Sarah Briscall, commercial solicitor at Shulmans LLP

The General Data Protection Regulation (GDPR) is a new EU law relating to data protection which is due to take effect on 25th May 2018. One might question this need for compliance in light of last year’s EU referendum – but with Brexit unlikely to take effect before March 2019, all UK organisations (including educational institutions) will still need to comply with GDPR as of that 2018 deadline or risk being in breach.

Even after Brexit takes effect, the UK will need to adopt its own broadly similar legislation in place of GDPR. The UK’s Information Commissioner has made it very clear that this will be the approach, so any steps taken now to comply with GDPR won’t be a wasted effort, but rather a way of future-proofing your organisation’s compliance. On that basis, GDPR can’t be ignored.

GDPR will require educational organisations to designate a Data Protection Officer (DPO). That role may already exist at your organisation in some form, but GDPR imposes much stricter requirements in terms of qualifications and experience. Simply having a colleague wear a ‘DPO hat’ alongside their existing duties is unlikely to be sufficient, so recruiting or training a suitable individual should be an immediate priority.

Within the education sector, a large proportion of processed data will be classified as ‘sensitive’ (such as details of individuals’ health records, ethnicity or religion, for example). Before 25th May 2018, your organisation should ask itself:

• Do we only collect information necessary for specific purposes?
• Do we hold on to that information only for as long as it’s deemed necessary?

Data relating to children also raises the issue of whether suitable consent has been provided for its processing. In most cases, you’ll be relying on the consent of parents or guardians. This consent needs to be clearly documented, and the reasons for processing it need to be specified. Under GDPR, consent is going to become much harder to rely on, so take steps now to address this.

Another factor to consider is that individuals are becoming more aware of their legal rights in respect to data protection. The scope of these rights will increase under GDPR. Subject access requests have become increasingly common, with individuals wanting to know what data is held on file about them and their children.

Does your organisation fully understand the nature of the data it holds and where it’s stored? Could you comply with such requests within the (stricter) GDPR deadline of 30 days?

Failure to tackle your GDPR preparations in time could result in significant consequences. The Information Commissioner’s Office (ICO) will be able to impose fines based on a percentage of worldwide turnover or a fixed sum, whichever is higher. In some cases, this can be up to €20 million – a sharp increase from the current maximum fine of £500,000.

More importantly, any steps taken by the ICO can and will be published. Not only will your organisation be under the scrutiny of the ICO going forward, but any breach or investigation will be put in the public domain. In organisations where trust and safety are paramount, this reputational risk could be far more damaging than any monetary fine.

Visit shulmans.co.uk or follow @ShulmansLLP