Four years have now passed since Europe’s flagship data regulation, GDPR (the General Data Protection Regulation), was first implemented.
While it was initially designed to curb the use of data without user consent by Google, WhatsApp, Facebook, and Instagram, it’s arguably had the most significant impact on tech-naive companies and their lawyers– not the tech natives. In fact, Big Tech organisations have become dab hands at traversing it.
For the UK’s education sector, then, remaining compliant was always going to be a challenge. A sector already beset with financial and recruitment challenges of its own, and often stuck with legacy technology that’s difficult to aggregate and keep up to date, it quickly had to navigate a data regulation it had little understanding of (at least, not outside of the IT department) and one that was far more complex than its predecessor, the Data Protection Act.
As speculation now swirls around the possibility of the UK’s own new data legislation outside of the European Union, it’s time for education institutions to reflect on how well they’ve adapted to GDPR since May 2018 – and, perhaps more importantly, how well they could adapt if asked to evolve in line with new data protection laws again.
First and foremost, what effect has GDPR had so far?
While GDPR has had a huge impact on the privacy rights of millions inside and outside Europe, it hasn’t stamped out the problem altogether of how to truly protect individuals’ data – particularly not in the education sector. Yes, it reset people’s views on the data they held; yes, it clarified where the accountability lay when it came to data breaches; but did it make expert educators specialists in data protection overnight in 2018? Not at all.
A key principle of the UK GDPR is that organisations (including schools, colleges, and academy trusts) process personal data securely by means of ‘appropriate technical and organisational measures’. This means security knowledge is critical.
Yet, in many schools and colleges, the cybersecurity basics are still missing. The reason being that the implementation of GDPR had a “big bang” effect for schools, colleges, and academy trusts, in that it was very “blink and you’ll miss it” and the public sector simply could not be that responsive – it’s too disparate.
Consider, for a moment, a data breach. While GDPR helps you classify that data and tells you what to do with it, and who you have to tell about it, but it still isn’t the nuts and bolts of how enterprises should be keeping it safe.
For that reason, as school IT departments might try to reset everyone’s view over the data they held, and their responsibility towards that data, schools and colleges simply don’t have the resource to train new staff in all things Cyber security related on an ongoing basis. And schools don’t have the budget to support such a change.
The concern, then, is that only a really significant breach would drive major change in the sector in the way GDPR might have hoped to. A breach whereby substantial amounts of personal information was lost, one where passwords were weak, critical updates haven’t been conducted in months, and there’s a potential fine from the ICO as a consequence, could well be the only way to put Cyber Security top of the agenda quickly and effectively.
But educators should remember that prevention is always cheaper than the cure.
So, what does good Cyber security look like for educators?
What would be more useful for the education sector is a model of continuous improvement, one in which standards could evolve in line with technological development, and schools and governors had the time to upskill themselves in line with those changes too.
Without one, we risk educators getting lost in a vicious cycle of panic followed by complacency and back again. Ultimately, legislating against the misuse of data has been effective in making particular technologies more ubiquitous, but it has done little in terms of social engineering to inspire real – and arguably more effective – behavioural changes. Once we have a regulation that encompasses the golden triumvirate (i.e., technology, legislation and social engineering all working together) schools and colleges can start making lasting changes, rather than temporary quick fixes.
Consider the evolution of road safety here. When seatbelts weren’t used ubiquitously, cars and roads were much more dangerous – but we used technology to make the roads and cars safer, and to improve collision protection (through air bags, for instance), used legislation to enforce seatbelt wearing, and then we used social engineering to reduce drunk driving. We then looked at avoiding the collision in the first place, technology in cars such as anti-lock brakes, lane assistance and on the actual roads with smart motorways and speed cameras to enforce the existing legislation, and then social engineering with speed awareness courses instead of points and fines.
Now try applying that to your cyber security protocol: use technology to reduce the risk of a successful attack, apply legislation to effectively make those technologies mandatory, and then implement social engineering to change people’s behaviours and education on the appropriate use of technology (such as using strong passwords).
Cyber security best practice can be intimidating, especially for our users. Making it easier and very relevant for them is key. Using strong passwords can make them difficult to remember, so to assist that we promote the use of password managers, it’s a whole solution, sympathetic approach, “we need you to do this, we know it’s difficult, here’s something to make it easier”. Add into that conversation “oh and by the way it keeps you’re amazon account, private email, Instagram and Tik Tok safer too” and you have a compelling reason for people to change their behaviours.
The opportunity to make positive change is here and now
Looking ahead, GDPR was fundamentally a positive step for all sectors – not least education. The fact that it carries the threat of fines for those who aren’t compliant and has the legislative weight behind it to do so, means it has a significant and far-reaching impact.
The challenge for schools, colleges and academy trusts is understanding what good cyber security actually looks like. Ultimately, there needs to be a defined baseline standard, but also the next wave of improvements to be given upfront, so that proper planning and budgeting can happen. Educators also need to promote and encourage a higher level of understanding amongst staff and governors about what it is they are actually being asked to do, and to what end
Not only would that instigate consistency, but it offers educators the opportunity to better keep up with changes in the marketplace and technology overall. Only if we have standards that are required for all, can we hope for educators to overcome their resistance to cyber security change.