The General Data Protection Regulation (GDPR) deadline has come and gone. A day fixed in the diaries of organisations around the globe, its implementation means that from now on, any educational institution that experiences a data breach could find themselves answering difficult questions from the Information Commissioner’s Office 
that may result in fines, or at the very least reputational damage. Achieving and maintaining compliance is therefore of vital importance.
Deploying a ‘privacy by design’ approach to all projects, from building new IT systems for storing or accessing personal data, through to developing privacy policy or strategies, will be key to ensuring compliance. Rapid technological developments have made this a more difficult task, as new systems that allow us to better protect educational facilities and the people within them also generate vast amounts of data, which have value both to the data subject and malicious parties who may attempt to steal it. It’s more important than ever to ensure robust data protection is in place. NW helps many educational institutions to navigate and comply with GDPR and data protection laws.
Why is privacy by design so important?
Privacy by design is a mindset the education sector must embrace, particularly because as we pointed out in a recent survey of education professionals (PDF file), data breaches are on the rise. This approach entails reviewing and assessing the impact and associated risks of all processes that include Personally Identifiable Information (PII), helping recognise and respond to any vulnerabilities.
Schools, colleges and universities must change their mindset regarding data protection. It’s important not to make rash decisions about halting certain activities that may now be deemed a risk, such as taking student’s work home to mark. Instead, this process must be reviewed in more depth. What are the risks involved? How can it be ensured that essential activities are carried out in a secure manner? The answer could be storing data on encrypted devices, and not leaving these devices unattended when taken out of the workplace. Once a privacy policy has been put in place, it should then be documented.
Progress is being made
The good news is that many educational establishments have already embraced this mindset. As highlighted in NW Security Group’s recent whitepaper, 43% of respondents already ensure technology, processes and policies are created with privacy by design in mind. Furthermore, 65% have a designated employee or outsourced service capable of conducting a Data Protection Impact Analysis (DPIA). This is an integral procedure that helps identify and minimise risks and should not be overlooked.
These are positive steps, but there is more work to be done, as our survey also found that 70% of respondents didn’t think they could effectively evidence privacy by design if they fell victim to breach. This is an issue not only identified by our whitepaper. While conducting Organisational Compliance Assessments (OCAs), NW Security Group found that although many establishments believed best practice processes and policies were in place, there was nothing to evidence this.
Documentation is critical to privacy by design, and therefore GDPR compliance. Even if the correct policies are in place, if these are not documented, an educational facility will be deemed non-compliant. With the GDPR now law, educational establishments must be seen to be putting data protection measures in place. This starts with awareness training; it is crucial all staff have a good understanding of their obligations and recommended best practice.
