- 25% of schools have been a victim of cybersecurity attack with 60% being phishing
- 22% of schools who have had a cybersecurity attack believe it has damaged their reputation
- 33% of schools do not provide cyber security training to staff
- Only 50% of schools have procedures in place to manage a data protection breach
- 25% of schools have nothing in place to manage information rights requests
Data protection law is changing on a global scale. Initiated in part by the General Data Protection Regulation (GDPR) in the EU, countries across the world have adapted, changed or brought in new legislation to align their national laws, local laws and data protection requirements with those of the EU. The impact of the GDPR will continue to be far reaching and adopted as the global benchmark for data protection compliance. Adopting the regulations into working practice however, does not come easily to all organisation types.
The burdens placed upon well-resourced multinational corporations to comply are alone, demanding, scaling this down to a school and the requirements are understandably viewed as complex and onerous. Towards the end of 2018, 9ine conducted research into how schools around the world are coping with the obligations to comply with international data protection law. We wanted to gain a better understanding as to how educational organisations are dealing with these new demands and to determine what major challenges they are facing.
We had institutions from over 30 countries take part in our research, with analysis from schools in the UK, the EU, North America, Africa, Asia and the Middle East. Those organisations included international schools, independent Schools (UK), MATs (UK), academies (UK), colleges and state schools (UK). We facilitated this research firstly by asking schools to participate in an online survey. Secondly, we validated the data collected from the survey via in-depth interviews and engagement with the schools taking part.
In undertaking our global research, our objectives were as follows:
- To collect independent and objective information from education organisations across the globe
- To generate a benchmark for schools to assess themselves and to measure their progress against
- To understand common difficulties that schools are facing and determine what challenges are inhibiting compliance
We identified 5 key questions to guide our research:
1. Of requirements generated by the new regulations, how far have schools progressed in meeting the obligations?
When asking about the status of schools’ compliance programmes:
- 20% are only just planning or haven’t started at all
- Over 50% said that their implementation was well underway
- 5% of schools said that they are completely compliant with the regulations
Our results uncovered the limitations of embedding recycled policies, processes and procedures within the practice of a school. This finding is supported by the fact that only 5% of schools have fully completed data mapping and DPIAs. In being compliant with the GDPR, an organisation’s policies, processes and procedures can only be updated once data mapping and DPIAs has been completed. Without an understanding of how data is being processed from point of collection, storage, or deletion, organisations cannot accurately document and inform individuals of their methods of processing.
For those schools who have undertaken work on data mapping, we discovered a drop off in productivity and the completion of tasks following this milestone of the compliance programme. 9ine recommend that all information captured within the data mapping exercise requires a review. An assessment of all information should be completed to ensure the data is accurate and aligns with current school policies, processes and procedures. The data mapping then requires additional assessment and a rationalisation for any potential DPIAs, confirming those which are required based on risk profile.
2. Is there a difference between perceived progress and evidencing progress?
There appears to be a disconnect between a school's perception of compliance and progress and their actual ability to evidence this. Our findings point towards a lack of published standards on ‘what compliance looks like’. Without this, schools are making judgements on the depth of their compliance without necessarily understanding what they should be doing. Schools can help themselves by seeking to demonstrate the effectiveness of their policies and procedures through testing and evidencing that their policies and procedures are in place and working.
3. What variations do we see across geography, types of schools and sizes of schools?
There is a direct ripple effect of the GDPR, with the UK, EU and Switzerland scoring highest as expected due to the immediate impact of regulations. The ripples move outwards from the European epicentre to the US and Canada who scored the lowest, possibly because the regulations are still be defined within state and federal law.
4. What difficulties and challenges are schools facing in being able to demonstrate compliance with the law?
Close to 100% of the schools that had not begun data mapping highlighted internal expertise as their main challenge. In this case, without guidance, schools are making judgements and trying to progress with compliance without necessarily understanding what they should be doing, resulting in increased timescales with undefined milestones.
A general theme throughout our research was a lack of internal expertise as a defining factor inhibiting compliance. Schools need to evaluate the gaps in staffing knowledge and expertise, acquiring support where required. Only in certain circumstances should the outsourcing of responsibility (E.g outsourced DPO) be an appropriate step to take.
5. How aware are schools of cyber security risks and what are their main threats?
The final part of our research took a high level glance at cyber security in schools. What was particularly significant was that a quarter of the schools that took part in our research have identified a cyber security attack in their organisation, with the leading method of attack being phishing. It is crucial that schools are aware of the susceptibility of both their users and their computer systems and services to malicious or unintentional cyber attacks.
The lack of staff knowledge and training in cyber security is exacerbated by the gap between awareness of cyber security threats and the action taken to reduce vulnerabilities to successful attacks. A lack of cyber security knowledge often leads to overconfidence in security systems.
Similarly to how data protection compliance requires a level of accountability being driven by the highest level of school management, cyber security needs to be addressed in such a way. There is no clear understanding of the link between cyber security and data protection. School leadership need to demonstrate accountability in managing cyber security risks to their schools. IT teams need to be supported with professional expertise and support in order to demonstrate evidence of the protections required to manage these risks.
As part of further study, we will be undertaking comprehensive cyber security research into how schools are coping across the globe. Keep your eyes peeled for our next survey.
Download our full report to find out more and learn from our independent and objective recommendations:
9ine 9ine 9ine, what's your emergency - How 9ine can support
9ine’s DPO Essentials is an annual service offering a professional, independent perspective when evaluating a breach. The service also provides access to a suite of education specific documentation and policies to evidence compliance with data protection law. We use our strong sectoral knowledge and evaluative expertise to provide feedback based on the assessed severity a breach, and to advise on the associated risks and recommended actions to be taken. If advised to report the incident to your Supervisory Authority, 9ine will ensure it supports any ongoing activity you will need to undertake.