From education to employment

Ethical hacking – a helpful tool for addressing #GDPR compliance in education

David T. Blonder, Data Protection Officer, BlackBerry

With the education sector battling funding cuts the Department for Education has recommended addressing the shortfall by being as cost-effective as possible.

Whether it’s changing stationery suppliers, finding cheaper utility providers, or simply reducing headcount – Principals and CEOs are having to ensure that they’re not only providing the best education for students, but that they’re smarter with budgets too.

The General Data Protection Regulation (GDPR), which came into effect on 25 May this year is only adding to the pressure. There has been a lot of hype and discussion surrounding the regulation, but most of it relates to the potentially eye-watering fines, of up to £17 million, that huge corporates could face should they fall foul of the regulations.

While less has been said about the education sector we cannot downplay the fact that institutions pressured to cut costs can’t afford to receive fines associated to the GDPR.

The need to take steps to ensure compliance and safeguard the data of young people is also a necessity, as it carries some of the most sensitive Personally Identifiable Information (PII) data on students.

Act now to mitigate risk

It’s expected that most GDPR fines will come as a result of poor data protection and breaches of confidentiality, and therefore administrators should be provided with training to understand what data they hold, how it is owned or used and where it is stored.

Knowing this will help to identify the gaps that exist and understand what robust controls should be in place to manage the data. Implementing this process will allow the organisation to document every data decision in the style of an audit trail, which will become essential should they be asked to prove compliance.

This best practice is one that all companies should carry out at regular intervals to ensure that gaps in compliance have not opened up as systems evolve.

However, managing data protection in the education sector is very different to the corporate world, as schools have a natural cycle of PII that will become redundant as learners graduate or move on.

A process should be implemented to ensure that data which is no longer required is removed, while still taking other industry regulations and acts into account.

For example, the Children & Social Work Act 2017 requires all students who received care to receive support from a Personal Adviser (PA) until they reach the age of 21, and so there is reason for that data to be held for a longer period

Education establishments should also be vigilant about shadow IT, with unapproved resources, such as interactive classroom apps being downloaded to the network which could present risks.

Teachers are naturally focused on providing the best education they can to their students and may feel justified in sourcing material from as wide a range of source as possible, regardless of technology policies.

They may not recognise the risk some of these workarounds can create for data privacy, but regular training and information on the need for compliance will help to control how data is being created and used, and therefore, make compliance easier.

Advice from an ethical hacker

If processes have been put in place to address GDPR, but administrators remain unsure whether they are GDPR compliant, an ethical hacker could be strategically used to expose potential flaws in data protection.

There is no one size fits all approach. Each educational organisation is different and will require a compliance practice to fit its particular tools and processes. This is where an ethical hacker can make all the difference.

Their goal is to ensure the institution’s data is secure and defend systems by mimicking the efforts of real-world hackers. They can detect and document potential GDPR risks and advise on actionable insight into how the organisation can overcome the issues.

The ethical hacker can also take the lead to provide training for teachers. By using the same tactics and tools used by malicious hackers, they can con employees over email and scan their network for vulnerabilities and information they’ve downloaded to alert them of the data protection violations they could be facing.

While this technique may seem invasive, it often highlights vulnerabilities that a check-box approach simply can’t. The more hands-on nature of the exercise also helps teachers and administrators gain a better understanding of the risks involved when storing and sharing data, as well as making them accountable to GDPR weaknesses.

Understanding educational data

For GDPR compliance to be successful, processes need to align with how an organisation already operates rather than making fundamental wholesale changes – such an upheaval would create unmanageable workloads and leave the regulation not being adopted.

Compliance should focus on what the provider is already doing, identify gaps and implement updates to procedures to match the requirements of the GDPR. Institutions should also note that some data within education does not fall under GDPR, as it is mandatory for the establishment to function.

For example, consent would not need to be obtained to process data that needs to be provided to the Department of Education, as part of the census, as this is a legal obligation.

However, consent would need to be obtained when collecting parents’ email addresses if they want to send emails to them, as there is no specifically articulated lawful basis to process this data without obtaining consent.

Having clear processes and training in place to ensure data is protected adequately but legal obligations are not hampered is critical to successful compliance.

With GDPR in force and headlines reporting on how many organisations have not yet fully prepared, now is the time for colleges and training providers to take action on being compliant, as well as sustain on-going data protection best practice.

Working with an ethical hacker and providing compliance training to teachers is one such option to help prepare and offset a potential breach.

If a breach incident does occur that results in an unlawful disclosure of PII, the ICO is likely to favour an institution that has demonstrated its efforts to take their responsibilities under GDPR seriously and done all that’s expected to protect the personal data of their students.

David T. Blonder, Data Protection Officer, BlackBerry

Copyright © 2018 FE News

*This article is for informational purposes and does not constitute legal advice.

Related Articles