At the recent ASCL (Association of School and College Leaders) conference, a guest said to us: “The GDPR? Wasn’t that last year?”
Our heads fell into our hands. How was it possible for someone to be so misguided about such a well-publicised regulation, the requirements of which have huge ramifications for the way organisations handle personal data?
Granted, 2018 was very much ‘the year of the GDPR’ in some circles. It came into effect in May 2018, following much discussion and a last-minute surge from organisations that left compliance until the last minute.
But compliance isn’t a one-time thing. It continues to be effective for any organisation that processes the personal data of, or monitors the behaviour of, EU residents.
If you’re wondering about the effects of Brexit, the UK’s DPA (Data Protection Act) 2018, which came into effect on the same day as the GDPR, enacts the Regulation’s requirements into UK law to ensure the same high standards of data protection legislation are in place if and when the UK leaves the EU.
Whichever set of requirements applies, you must be aware that compliance is only ever a temporary status. Business processes develop and the threat landscape evolves, meaning it’s essential that you regularly review your compliance posture and make any necessary adjustments.
GDPR compliance in schools
Schools have a particularly hard time of it when it comes to the GDPR. They often work with tight budgets and lack the resources to retain a dedicated information security team.
Additionally, schools process large amounts of children’s data, which merits extra protection. In some cases, there are specific rules that apply to children, which means data processors must work out whether the data subject qualifies as a child (defined as under 13 in the UK) before proceeding.
If that’s the case, the data processor must account for requirements concerning:
Organisations cannot legally obtain consent from children. Instead, they must seek the approval of a person holding “parental responsibility”, and make “reasonable efforts” to verify that the person providing the consent is indeed a parental figure.
This requirement doesn’t apply in the context of preventive or counselling services offered directly to a child.
Organisations must ensure that privacy notices targeted at children are written in plain language that could reasonably be understood by data subjects.
This is similar to general rules about privacy notices, but it’s important to remember that the language you use must be appropriate to the intended audience. What’s considered plain language to a 12-year-old will probably be a lot different than, say, a 5-year-old.
Online services offered to children
In most cases, consent requests for children will relate to online services, or what the GDPR refers to more generally as information society services. These include things such as online shopping, live or on-demand streaming and social networks.
The GDPR states that consent must be closely regulated in these services because children “may be less aware of the risks, consequences and safeguards” of handing over their personal details.
Schools aren’t meeting these requirements
These are reasonable requirements, but many schools still fail to understand the importance of compliance or make the necessary changes. The ICO (Information Commissioner’s Office) reported that breaches in the education sector increased by 43% in the first three months that the GDPR was effective.
The number of security incidents increased from 355 in the second quarter of 2017–18 to 511 in the same period last year. Meanwhile, the number of incidents involving data breaches increased from 239 to 353.
The ICO found that common disclosure issues included:
- The loss or theft of paper or digital files;
- Emailing information to the wrong recipient; and
- Accidental verbal disclosure.
There has also been a sharp increase in the number of cyber attacks targeting schools, with a 69% rise in malware, ransomware and phishing scams between 2017 and 2018.
Mark Orchison, managing director of cyber security firm 9ine, warned that “schools don’t have the internal expertise” to deal with cyber attacks, and they lack “the skills to understand the risks or what to do when [an attack] happens”.
“Schools are seen as an easy target,” he added. “Sending false invoices, for example, is easy money.”
The figures aren’t all bad news, though. Orchison suggested that the rise in data breach reports may well be a case of schools becoming more aware of what breaches are and when they need to be reported.
Want help tracking your GDPR compliance?
Staying on top of your GDPR compliance requirements can seem daunting, which is why we encourage all organisations to create a plan of action.
Anyone looking for help on what that should include should take a look at our GDPR checklist for schools. It will help you record your school’s progress towards GDPR compliance and identify any areas where development may be required.