GDPR, data security and the education sector
Keeping up to date with the latest General Data Protection Regulation (GDPR) news can be stressful, but with the harsh penalties set by the European Parliament, it's worth being aware of what unfolds.
However, although it's one of the most dominant sectors in the world, education is sometimes left unaddressed.
GDPR: what is it?
To understand what impact GDPR can have on those working in education, it's important to be aware of what this new piece of legislation means. GDPR is set to strengthen data protection across Europe and will eventually replace the current Data Protection Act (DPA). It will be implemented on the 25 of May 2018.
Even though the UK will soon leave the EU after the decision was made in the 2016 referendum, it's likely that GDPR will be brought into British law by the government and enforced as if it was its own initiative to help unify data protection.
What you must be aware of
Over time, education establishments will collect personal data -- including those of their pupils and staff. More educational institutes acquire surveillance footage of what is happening on a daily basis through the necessary CCTV systems that they have in place. Whether it's stored in a filing cabinet or backed up on an IT system, there's a lot of data collected in schools and universities and this will eventually be impacted by the GDPR legislation.
To reduce the chances of any data breaches, data should be reserved in a secure location, according to the Data Protection Act (DPA). Although this will still apply once GDPR has arrived, education practices will have a more intense responsibility of protecting data, no matter what the format is, to ensure that they comply with the new regulation. Large fines will be given to those who do not comply with this new piece of legislation enforced by the EU.
As schools will currently know, under the DPA, the non-compliance payment can reach a high of GBP500,000, which is enforced by the Information Commissioners Office. GDPR fines could lead up to GBP20 million or 4% of global turnover for both data controllers and processors. Data Processor: On behalf of the data controller, the data processor processes data.
It isn't part of the school or education establishment itself. Data Controller: The data controller is classed as the main organisation itself -- having the power to decide how data is used.
Education establishments will have to prove that they are working with a credible organisation when it comes to disposal of data
Once GDPR is introduced, data processors must have minimum capabilities for IT asset disposal. Education establishments will have to prove that they are working with a credible organisation when it comes to disposal of data.
Currently, it's not compulsory for education centres to have a binding contract of agreement with their data processor. However, this is all set to change under the GDPR ruling. Next year, schools will have to have a contract or SLA (Service Level Agreement) in place with who they decide to work with -- if this is not enforced, you will be breaking the law.
Becoming compliant with GDPR
Being compliant with the DPA allows you to make swift changes when it comes to preparing for GDPR.
However, just because you're complying with DPA doesn't mean you're complying with GDPR, and this will lead you to review and make some adjustments to your current policies. According to the Information Commissioners Office, the education centre can take several steps to prepare for this new legislation. But the first step is awareness, and you need to make sure that all people who handle any type of personal data are aware that DPA is changing to GDPR and they need to know about what they can and can't do, whilst also understanding the consequences.
Complete an information audit to determine who you are sharing personal data with. As children are usually involved, you need to put systems in place that will help verify a person's age and then gather parental/guardian consent for any data processing activity that you might do. Most schools will find themselves obtaining the data they collect years after it goes 'out of date' (someone leaves your establishment) -- but you will soon want to remove it.
To do this, you need to consider the students' rights and this can determine how you delete data or provide data in an electronic format. As data breaches are becoming more common within education centres, you will need to have the most viable procedures in place to deal with the situation. All staff handling data should be aware of these procedures.
It could be beneficial to appoint a Data Protection Officer who can take responsibility for data protection. If you're working in the education field, and with GDPR quickly approaching, you need to become knowledgeable on the situation before it becomes too late. Read more about GDPR and the education sector on the ICO website.
There is no agenda more critical today than security Whatever your role within the industry, you have a part to play and IFSEC International is your arena. Take part in the big discussions, hear from strategic global security leaders, get hands on with the security technology of tomorrow, and be inspired. If there is a vision of what makes a safer global landscape, it begins with the security profession.
Click here to join the beginning of this journey with IFSEC 2018.
Wake-up call on IP camera passwords as UK school CCTV streamed on Russian website
University campuses: How to strike the right balance between a relaxed atmosphere and efficient security