Schools face hefty fines for data breaches under new EU laws

Schools face hefty fines for data breaches under new EU laws

Schools face having to free up a teacher to work three days every week on EU data protection issues, say tech experts.

From May next year, schools must comply with the new General Data Protection Regulation (GDPR) or face financial penalties of up to 4 per cent of their turnover.

The new regulations are designed to beef-up the safety and security of data held by all organisations in the EU – and will still be binding in the UK despite Brexit.

Mark Orchison, managing director of 9ine Consulting, said schools faced a “significant amount of work” to become compliant.

A designated data protection officer could have to spend up to three days a week on data commitments and out-of-date IT equipment could have to be replaced. This is at a time when many are struggling to cope with stretched budgets.

It will be illegal for schools not to have a formal contract with a chosen data processor and if a chosen processor does not meet minimum industry accreditations.

“Lots of schools currently use IT equipment until it falls over and dies – with GDPR it’s a high-risk approach to continue using equipment that is out of warranty or doesn’t have up-to-date software,” Orchison said.

If schools used such software they could fall foul of the new stipulation to “ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”.

Organisations found in breach of the rules could be fined either up to 4 per cent of their turnover, or £20 million – whichever was greatest.

Schools don’t need to fear GDPR, but they should be tracking very closely its implications

Malcolm Trobe, deputy general secretary at the Association of School and College Leaders, said many schools had yet to “clock on” to the impact of changes.

While many of the new rules were similar to those in the current Data Protection Act, there were “significant enhancements”.

He urged schools to add the changes to their work programme for next year and to use any annual data protection audits to ensure they met the new rules.

However, he warned against rash decisions as it was not clear how the regulations would apply specifically to schools yet. Currently only guidelines have been published.

Joshua Perry, director of Assembly, a schools data platform created by Ark, said there were still “open questions” about how to interpret GDPR in schools.

“Schools – and organisations working with schools – don’t need to fear GDPR, but they should be tracking very closely its implications.”

He suggested schools start “preparatory tasks”, such as designating a data protection officer, and document where personal data was processed, including the methods used and how consent had been managed.

“This should include any spreadsheets of pupil data created and shared by the school, since this is a common – and potentially insecure – form of data processing.”

Schools Week reported that 66 schools reported data breaches in 2015, including the accidental loss, theft or revealing of information. None faced action.

A growing number of high-profile cyber attacks also show the risk for public organisations. In May a virus infiltrated the NHS’s outdated XP Windows system, leaving many hospitals unable to access patients’ medical records.

Under GDPR, schools must alert the Information Commissioners Office (ICO) of any cyber security breaches within three days.

Orchison said it was “highly likely” the ICO would take action should the school be found not to be meeting the new rules.

The ICO has published a 12-step checklist to help prepare for the changes. For more information, click here.