The General Data Protection Regulation (GDPR) deadline has come and gone. A day fixed in the diaries of organisations around the globe, its implementation means that from now on, any educational institution that experiences a data breach could find themselves answering difficult questions from the Information Commissioner’s Office that may result in fines, or at the very least reputational damage. Achieving and maintaining compliance is therefore of vital importance.
Why is privacy by design so important?
Privacy by design is a mindset the education sector must embrace, particularly because as we pointed out in a recent survey of education professionals (PDF file), data breaches are on the rise. This approach entails reviewing and assessing the impact and associated risks of all processes that include Personally Identifiable Information (PII), helping recognise and respond to any vulnerabilities.
Progress is being made
The good news is that many educational establishments have already embraced this mindset. As highlighted in NW Security Group’s recent whitepaper, 43% of respondents already ensure technology, processes and policies are created with privacy by design in mind. Furthermore, 65% have a designated employee or outsourced service capable of conducting a Data Protection Impact Analysis (DPIA). This is an integral procedure that helps identify and minimise risks and should not be overlooked.
These are positive steps, but there is more work to be done, as our survey also found that 70% of respondents didn’t think they could effectively evidence privacy by design if they fell victim to breach. This is an issue not only identified by our whitepaper. While conducting Organisational Compliance Assessments (OCAs), NW Security Group found that although many establishments believed best practice processes and policies were in place, there was nothing to evidence this.
Documentation is critical to privacy by design, and therefore GDPR compliance. Even if the correct policies are in place, if these are not documented, an educational facility will be deemed non-compliant. With the GDPR now law, educational establishments must be seen to be putting data protection measures in place. This starts with awareness training; it is crucial all staff have a good understanding of their obligations and recommended best practice.