New research reveals low levels of GDPR compliance among educational facilities

Despite high levels of awareness regarding the EU’s General Data Protection Regulation (GDPR), which comes into force on Friday, only 22% of schools, colleges and universities of the 500 surveyed by NW Security Group felt that their data protection policies were compliant. Furthermore, 70% said that, if they fell foul of a data breach, they wouldn’t be able to evidence that the correct procedures were in place.

The research sought the feedback of head teachers, governors, IT, security and facility managers in the North West of England to determine their awareness levels of, and adherence to, the GDPR. 64% of those surveyed are aware of the GDPR, but require further information regarding its impact. 11% of schools, colleges and universities have experienced a data breach and not informed the Information Commissioner’s Office. If made aware of a data breach, 14% of respondents would ignore the issue and hope the problem resolves itself. 31% of respondents don’t believe their employees and contractors are adequately trained in data protection

The survey also highlighted that only 16% of educational institutions had fallen victim to a data breach, despite a rapid increase in attacks in recent times targeted at the sector. This seemingly low figure, in contrast to wider industry trends, was of particular interest and might be explained by respondents struggling to identify what actually constitutes a data breach.

Above and beyond a cyber attack, a data breach could include e-mailing data to the wrong recipient, openly discussing Personally Identifiable Information (PII), leaving hard copy materials in plain view or the loss or theft of unencrypted data. These could all lead to the loss of PII and are deemed breaches of the GDPR.

Findings are “concerning” 

Nigel Peers, security and risk management consultant at NW Security Group, informed Risk Xtra: “These findings are concerning, especially considering the GDPR’s imminent deadline. This is placing educational facilities at great risk of severe fines and reputational damage. There appears to still be a large amount of confusion regarding the GDPR, and with 64% of those who had heard of the new law still requiring further information, it’s clear more work is needed to propel educational facilities towards full compliance.”

Peers continued: “Employees are a school, college or university’s first line of defence and, if they’re unable to identify what a data breach is, the likelihood of achieving GDPR compliance is dramatically reduced. This is why it’s concerning to learn that, according to our survey, 31% of respondents didn’t believe their employees and contractors were adequately trained in data protection.”

These results are synonymous with NW Security Group’s own experiences of conducting Organisational Readiness Assessments for education sector customers seeking to determine their progress on the journey towards GDPR compliance. During those assessments, it was observed that although many facilities believed their processes were up to scratch, the reality was a somewhat different picture. Outdated policies and a lack of documentation were frequent failings, in turn indicating low levels of GDPR compliance throughout the education sector.

*To learn more about the state of GDPR readiness in the education sector, read NW Security Group’s latest White Paper 

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts