A lack of security awareness and a lack of resources are among the major roadblocks for UK schools and colleges in their mission to be fully compliant with GDPR, new research has revealed.
A survey of 156 schools and colleges across the UK has revealed that even though many months have passed since GDPR was implemented in the country through the remodeled Data Protection Act, 52% of them are still not fully compliant with GDPR.
In order to be compliant with GDPR that was introduced to penalise organisations that are not serious about data privacy and security of their customers and suffer breaches as a result, an organisation needs to maintain full visibility over all the data it holds, appoint a data protection officer, ensure it has a legal basis for whatever data it processes, obtain clear and precise consent from people before obtaining their personal data, carry out privacy impact assessments, and report breaches to authorities within stated timelines.
If an organisations suffers a loss of enterprise or customer data as a result of poor data protection processes, it will be liable to be fined either €20 million or up to 4% of its annual global turnover under the new Data Protection Act. Such fines are disproportionately large compared to a maximum of £500,000 that could be imposed on erring organisations under the 1998 Data Protection Act.
Only 48% of schools and colleges say they are GDPR compliant
Despite such rigorous penalties being ensured by GDPR, over half of schools and colleges in the UK are still not fully compliant with GDPR even though a large majority of them are aware of the fact that monetary fines imposed under the new DPA would “significantly impact” them, a survey from Trend Micro and RM Education has revealed.
As noted by TES, while 52% of UK schools and colleges have admitted to not being fully compliant with GDPR, 46% of them said that a lack of security awareness is preventing them from being fully compliant and another 39% said a lack of financial investment is the biggest factor behind their inability.
Considering that 79% of schools and colleges fear that monetary fines imposed under the new DPA would “significantly impact” them, it is clear that they are aware of what GDPR entails but a lack of resources is preventing them from accomplishing GDPR compliance. The fact that 38% of them have increased their spending on IT also suggests that they are indeed serious about avoiding breaches in the future.
However, while 19% of schools and colleges fear that cyber criminals could pose the biggest threat to them in the future, 75% of them believe that accidental loss of sensitive data by their staff could expose them to GDPR fines.
"Things as simple as leaving a memory stick lying around, not changing your password regularly, or not updating to the latest software could have a seriously big impact. Having a strategy in place to ensure all data is protected, and able to be deleted should a pupil or parent request it, is also key," said Bharat Mistry, principal security strategist at Trend Micro to TES.
Schools must be prepared for cyber attacks
The findings of the fresh survey aren't very different from what Stephen Morales, chief executive officer of the National Association of School Business Management, warned about a couple of years ago when he spoke about the vulnerability of UK schools to cyber attacks.
"School business professionals need to be prepared for cyber-attacks and to have clear checks and reviews, as well as processes in place if an attack happens. However, the pressure on school budgets means that it is likely there will be less, rather than more, capacity to ensure schools are prepared and protected from attack," he said.
As per GDPR, schools need to “ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services” and therefore, have to ensure that the systems they use are always updated with the latest security patches and that data is always encrypted or stored securely.
According to the UK's Action Fraud department, schools have already been targeted by hackers posing as the 'Department of Education' and trying to trick employees into clicking on links or installing ransomware which the hackers can then use to take control of systems and demand money.
"This kind of attack can certainly affect schools, and the indiscriminate nature of these attacks puts everyone at risk. Across the education sector, there will be organisations on top of good practice, and there will be ones that struggle. Our aim is to ensure that every organisation has access to the right skills and a cadre of professionals they can rely upon to know they are safe. We have a long way to go," said David Evans, director of community and policy at the BCS to TES.