With the Information Commissioner’s Office (ICO) recently reporting a 40% growth in data security incidents in the education sector1, it comes as no surprise that regulation is also increasing. The topic of compliance is rising up the agenda for senior leadership and operational management professionals, and top of the agenda should be the new General Data Protection Regulation (GDPR) – due to come into force on 25th May 2018.
The GDPR contains requirements pertinent to the education sector, outlining how organisations should process and safeguard Personally Identifiable Information (PII). This includes ensuring data breaches are reported to relevant authorities within 72 hours and policies to secure data portability. The new regulation is expected to not only simplify the complex regulatory environment, but to ensure adequate protection of student, staff and stakeholder data.
Requirement for a Data Protection Officer (DPO)
Due to the sensitive and often fragmented nature of data held by Academy Trusts, GDPR adherence will require significant planning and review around the people, systems and processes necessary to implement it. While senior management will be key to ensuring security and data protection is taken seriously throughout an organisation, GDPR itself discourages senior leadership and operational management from managing this process, and encourages the appointment of a nominated individual to report into them. The legislation says public authorities must employ a Data Protection Officer (DPO) to ensure they have the sufficient staff and skills required by GDPR and to act as the first point of contact for supervisory authorities and for individuals whose data is processed. Although there is no definition of ‘public authorities’ in the GDPR, it is likely that it will include schools and academy trusts, as is the case under current data protection law.
With School Leadership Teams facing a variety of challenges, such as improving student education and maintaining safeguarding levels while dealing with restricted budgets, it is understandable that the need to review data protection and security policies has sometimes slipped down the priority agenda. In the commercial world, the fiduciary and legislative compliance responsibilities outlined in law such as in the Companies Act 2006 often take precedence. As educationalists, however, senior management’s priority understandably remains with the welfare of staff and students. As data held on students and captured by devices such as CCTV becomes digitalised, safeguarding is evolving and becoming increasingly interlinked with the issues of security and data protection.
Reviewing governance and compliance
In order to meet GDPR requirements and for bodies such as Academy Trusts to achieve governance best practice, NW Security is working closely with education providers to ensure a holistic approach to physical security and cybersecurity that places GDPR compliance and safeguarding at its core. This includes a top-level review of an establishment’s governance procedures but also an in-depth internal governance review, evaluating the levels of compliance when measured against statutory requirements such as safeguarding and GDPR.
GDPR’s precise impact remains unknown, yet there is little doubt that it will reshape the way the education sector approaches the issue of data protection. While the most severe of breaches can result in a fine of €20 million or 4% of annual turnover (whichever is higher), penalties of up to €10 million or 2% of annual turnover can even be awarded for a simple lack of adherence to the regulation. Ahead of the May 2018 deadline, Academy Trusts have an opportunity to prepare for the legislation and carefully consider how the support of an external partner would be beneficial. While a review of existing systems and technology is a good place to start, a DPO will be best placed to advise on the tasks involved. This includes everything from data breach impact assessments to evaluating key stakeholders’ current understanding of GDPR and existing internal data protection activities.