Countdown to GDPR

GDPR, data security and the education sector

Peter Houlis

Chartered Security Professional (CSyP) and certified technical security professional (CTSP)

Author Bio ▼

Peter is an expert in the physical security industry having spent 35 years gaining considerable knowledge and understanding of security technology and the principles and practices of protecting people and assets, along with the ethics necessary for leading a respected company. Over 20 years as MD of multi-award-winning security system integrator 2020 Vision Systems, the company achieved a high standard of recognition and the patronage of many respected organizations. Through his dedication and leadership, 2020 obtained industry approval with the SSAIB and Quality, Environmental, and Health and Safety accreditations.Peter is a member of the Security Systems and Alarms Inspection Board (SSAIB), a UKAS accredited Certification Body, and its representative on the British Standards Institute (BSI) technical committee responsible for drafting European CCTV Standards. He is also a member of the Security Institute and Security Leaders Technology forum and the author of a number of published security articles.
May 10, 2018

Sign up to free email newsletters


Working with the insider threat

Keeping up to date with the latest General Data Protection Regulation (GDPR) news can be stressful, but with the harsh penalties set by the European Parliament, it’s worth being aware of what unfolds.

However, although it’s one of the most dominant sectors in the world, education is sometimes left unaddressed.

GDPR: what is it?

To understand what impact GDPR can have on those working in education, it’s important to be aware of what this new piece of legislation means. GDPR is set to strengthen data protection across Europe and will eventually replace the current Data Protection Act (DPA). It will be implemented on the 25 of May 2018.

Even though the UK will soon leave the EU after the decision was made in the 2016 referendum, it’s likely that GDPR will be brought into British law by the government and enforced as if it was its own initiative to help unify data protection.

What you must be aware of

Over time, education establishments will collect personal data — including those of their pupils and staff. More educational institutes acquire surveillance footage of what is happening on a daily basis through the necessary CCTV systems that they have in place.

Whether it’s stored in a filing cabinet or backed up on an IT system, there’s a lot of data collected in schools and universities and this will eventually be impacted by the GDPR legislation.

To reduce the chances of any data breaches, data should be reserved in a secure location, according to the Data Protection Act (DPA). Although this will still apply once GDPR has arrived, education practices will have a more intense responsibility of protecting data, no matter what the format is, to ensure that they comply with the new regulation.

Large fines will be given to those who do not comply with this new piece of legislation enforced by the EU. As schools will currently know, under the DPA, the non-compliance payment can reach a high of £500,000, which is enforced by the Information Commissioners Office. GDPR fines could lead up to £20 million or 4% of global turnover for both data controllers and processors.

Data Processor: On behalf of the data controller, the data processor processes data. It isn’t part of the school or education establishment itself.

Data Controller: The data controller is classed as the main organisation itself — having the power to decide how data is used.

Education establishments will have to prove that they are working with a credible organisation when it comes to disposal of data

Once GDPR is introduced, data processors must have  minimum capabilities for IT asset disposal. Education establishments will have to prove that they are working with a credible organisation when it comes to disposal of data.

Currently, it’s not compulsory for education centres to have a binding contract of agreement with their data processor. However, this is all set to change under the GDPR ruling. Next year, schools will have to have a contract or SLA (Service Level Agreement) in place with who they decide to work with — if this is not enforced, you will be breaking the law.

Becoming compliant with GDPR

Being compliant with the DPA allows you to make swift changes when it comes to preparing for GDPR. However, just because you’re complying with DPA doesn’t mean you’re complying with GDPR, and this will lead you to review and make some adjustments to your current policies.

According to the Information Commissioners Office, the education centre can take several steps to prepare for this new legislation. But the first step is awareness, and you need to make sure that all people who handle any type of personal data are aware that DPA is changing to GDPR and they need to know about what they can and can’t do, whilst also understanding the consequences.

Complete an information audit to determine who you are sharing personal data with. As children are usually involved, you need to put systems in place that will help verify a person’s age and then gather parental/guardian consent for any data processing activity that you might do.

Most schools will find themselves obtaining the data they collect years after it goes ‘out of date’ (someone leaves your establishment) — but you will soon want to remove it. To do this, you need to consider the students’ rights and this can determine how you delete data or provide data in an electronic format.

As data breaches are becoming more common within education centres, you will need to have the most viable procedures in place to deal with the situation. All staff handling data should be aware of these procedures. It could be beneficial to appoint a Data Protection Officer who can take responsibility for data protection.

If you’re working in the education field, and with GDPR quickly approaching, you need to become knowledgeable on the situation before it becomes too late.

Read more about GDPR and the education sector on the ICO website.

The Seagate Surveillance Storage Survey Report 2018

IFSEC Global Exclusive: The State of Surveillance Storage

Download this eBook to begin navigating the fast-changing surveillance and security landscape, from the growing quantity of data to new innovations like Artificial Intelligence and machine learning.

Identify the challenges, and discover exactly what storage solutions need to offer to meet the evolving needs of security industry professionals, installers and integrators.

Related Topics

Leave a Reply

Notify of