New research findings released today by RM Education and Trend Micro shows fewer than half of UK schools and colleges (48%) believe that they are fully GDPR compliant. Plus, there remains confusion over staff responsibility in terms of GDPR compliance.
Last year 156 education professionals were surveyed about how practices and systems have changed since the arrival of GDPR in May 2018 and their ongoing concerns about the legislation.
Key findings from the research include:
- Half of schools believe that they are in breach of the regulations - 52% of schools surveyed did not think they are GDPR compliant. In addition, 14% of schools still do not have a strategy in place to become GDPR compliant.
- Fines would have severe impact - Almost four-fifths of schools and colleges (79%) stated they would be significantly affected by any fine for not complying with GDPR. 65% said a data breach would significantly impact their reputation.
- Staff are considered the biggest risk – ‘Accidental loss by staff’ is considered the biggest data threat (75%) followed by cyber criminals (19%).
Respondents were from schools and colleges across the UK and included IT Managers, Data Protection Officers (DPOs) and other school leaders. Just 48% of respondents stated that they believed their school/college to be fully GDPR compliant. In terms of reasons for lack of compliance 23% stated legacy systems as a challenge, 46% stated security awareness and 31% stated lack of financial investment.
However, the research suggests that schools and colleges are taking GDPR seriously and significant steps have been taken to work towards trying to ensure compliance. Of those surveyed 97% of schools and colleges had updated their policies, 89% had increased staff training, 85% hired a DPO and 83% carried out a data audit (including third-party systems). Furthermore, 38% of those surveyed had increased their IT spend as part of becoming GDPR compliant.
When surveyed about the possibility of a data breach 77% of respondents stated they were confident that their school/college was as secure as it could be against a data breach. However, just over two third of schools (71%) surveyed had a formal data breach response plan in place. In terms of what respondents considered to be the biggest threats to their data 19% stated cyber criminals and 75% said accidental loss by staff.
Steve Forbes, Principal Product Manager at RM Education comments: “From our work with thousands of schools across the UK we know that untangling the intricacies of GDPR has been a great concern for education providers. One surprising finding is that 91% of schools and colleges surveyed stated that they knew where all their data resides. Schools and colleges process large quantities of data on their pupils, staff and suppliers, and it’s likely that data is in more places than perhaps thought. We will continue to support schools to help them identify these data sources and implement the right cyber defences to protect data both inside and beyond the school’s gates.”
Forbes continues, “The survey has uncovered some interesting findings, and highlights the challenges that schools are facing today. There is some confusion in terms of roles and responsibilities in schools when it comes to GDPR. 60% of those surveyed said final responsibility for GDPR sits with the Principal/ Head Teacher, 42% said the responsibility also sits with the DPO and 31% said responsibility also lies with the head of IT. GDPR compliance does not sit with one role alone; and the responsibility for compliance is shared. A DPO is tasked with monitoring GDPR compliance and other data protection laws and policies, awareness-raising, training, and audits. However, as in all other organisations, responsibility for compliance within a school must be a shared responsibility and this relies on a whole school approach”.