September 03, 2019

Is Your School GDPR Compliant? How to Improve Data Protection in Schools

In Q4 of 2018/2019 alone, the Information Commissioner’s Office (ICO) reported 3,263 cyber and non-cyber data breaches. Of which, 383 – or 12.5% of all data breaches – were from the education sector, which is a worrisome statistic for students and teachers who are back in the classroom for the new school year.

The education sector – especially colleges and universities – keeps a lot of sensitive information on file. Spanning student and staff names, addresses, medical information and birth dates, to financial data and innovative research. So it’s imperative you protect all of the personal data in your possession!

And if you thought the chance of being caught and fined was minimal – the risks are very real. In May 2018, Greenwich University were fined £120,000 by the ICO for a security breach dating back to 2016 where the personal data of 19,500 students was placed online.

So this September, we’re asking the question: is your school protected from a data breach? To help you ensure the safety of your staff and students – and to ensure you don’t fall victim to the crippling fines handed out by the ICO.

Best practices to help you prevent a data breach at your school, college or university.

Think compliance: Download our whitepaper and familiarise yourself with the official GDPR legislation of the ICO. Engage with your local governing body and staff to ensure everyone is aware of the requirements specific for your school, college or university.

Data you hold: Start by documenting your internal systems and identifying where personal data is stored in both physical and online files. Create a list of the software used across the school and check with the suppliers that they’re GDPR compliant and what data they are extracting from your users.

Communicating privacy information: Upload an updated privacy policy to all of your websites and circulate the latest policies to staff. If you have the appropriate software, you can check these are seen and acknowledged via tracking tools.

Protect it: Use a document management process so all data is secured from creation to disposal. A retention policy should identify which documents must be kept and for how long. Mark records in storage with their destruction dates.

Increase cyber security: Prevention and detection tools are critical. Keep everything up-to-date and reinforced. In the case of a data breach, have a response plan in place and be ready to effectively and efficiently manage a security breach. Practice disaster and recovery plans and always back up digital information. 

Record data breaches: If a data breach occurs, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk, you must notify the ICO. If it’s unlikely, you don’t have to notify the ICO, but any breach must be reported to your appointed data protection officer. Secondly, track and record data breaches – provided that breaches are recorded and schools can show evidence data wasn’t accessed, you will avoid fines.

Destroy it: Have a formal procedure for the secure destruction of documents. Partner with a company that provides a secure chain of custody and a documented process for both paper and hard drives and e-media destruction. Introduce a Shred-it all policy so that all documents are securely shredded automatically.


Start Protecting Your Business

We protect what matters – and what matters to us is the security of your school, college or university. To learn more about how we can protect the sensitive information of your staff and students, contact us to get a free quote and Data Security Survey.

Our Data Security Survey is a crucial first step to ensure vulnerable areas of your institution are identified – so we can provide efficient, expert recommendations on how to reduce the risk of a data breach at your school, college or university.