Education sector’s compliance with GDPR low

schoolNew research has revealed that there are low levels of GDPR compliance among educational facilities. Hardly a surprise.

A survey conducted by NW Security Group finds only 22 percent of schools, colleges and universities believe their data protection policies are up to scratch in the run-up to GDPR’s deadline

Despite high levels of awareness regarding the incoming EU General Data Protection Regulation (GDPR) only 22 percent of schools, colleges and universities of the 500 surveyed felt their data protection policies were compliant. Furthermore, 70 percent said that if they fell foul to a data breach, they wouldn’t be able to evidence that the correct procedures were in place.

The survey was conducted by NW Security Group. The research sought the feedback of head teachers, governors, IT, security and facility managers in the North West of England to determine their awareness levels of, and adherence to, the GDPR. The main findings were:

  • Only 22 percent of respondents believe their data protection processes are GDPR compliant
    64 percent are aware of the GDPR but require further information regarding its impact
  • 11 percent of schools, colleges and universities have experienced a data breach and not informed the Information Commissioner’s Office (ICO)
  • If made aware of a data breach, 14 percent of respondents would ignore the issue and hope the problem resolves itself
  • 31 percent of respondents don’t believe their employees and contractors are adequately trained in data protection

The survey also highlighted that only 16 percent of educational institutions had fallen victim to a data breach, despite a rapid increase in attacks in recent times targeted at the sector. This seemingly low figure, in contrast to wider industry trends, was of particular interest and might be explained by respondents struggling to identify what constitutes a data breach.

A data breach could include: emailing data to the wrong recipient; openly discussing Personally Identifiable Information (PII); leaving hard-copy materials in plain view; or the loss or theft of unencrypted data. These could all lead to the loss of PII and are breaches of GDPR.

Nigel Peers, Security and Risk Management Consultant at NW Security Group, said, “These findings are concerning, especially considering GDPR’s imminent deadline. This is putting educational facilities at great risk of severe fines and reputational damage. There appears to be a large amount of confusion regarding the regulations, and with 64 percent of those who’d heard of the GDPR still requiring further information, it is clear more work is needed to propel educational facilities towards full compliance.

“Employees are a school, college or university’s first line of defence and if they are unable to identify what a data breach is, the likelihood of achieving GDPR compliance is dramatically reduced. That is why it was a concern to learn that, according to our survey, 31 percent of respondents didn’t believe their employees and contractors were adequately trained in data protection”.

These results are synonymous with NW Security Group’s own experiences conducting Organisational Readiness Assessments for education customers seeking to determine their progress on the journey to GDPR compliance. During those assessments, it was observed that although many facilities believed their processes were up to scratch, the reality was a somewhat different picture. Outdated policies and a lack of documentation were frequent failings indicating low levels of GDPR compliance throughout the education sector.