It’s been four years since the major data regulation, GDPR (General Data Protection Regulation), was first implemented.
Although it was originally designed to limit the non-consensual use of data by Google, WhatsApp, Facebook and Instagram, it has perhaps had the biggest impact on tech-naive companies and their lawyers, rather than tech-natives. In fact, large technical organizations have become adept at crossing it.
Compliance has therefore always been a challenge for the UK education sector. In a sector already struggling with financial and staffing challenges, and often with outdated technology that is difficult to aggregate and keep up-to-date, he had to move quickly into data regulation, about which he understood little (at least not outside the IT department) and one that was far more complex than its predecessor, the Data Protection Act.
With speculation surrounding the possibility of new data legislation in the UK outside the European Union, now is the time for educational institutions to reflect on how well they have adapted to the GDPR since May 2018 – and perhaps more importantly, how well they could adapt , when asked to evolve again under new data protection laws.
First of all, what effect has GDPR had?
While the GDPR has had a major impact on the privacy rights of millions of people in Europe and beyond, it has not eliminated the challenge of how to truly protect people’s data, especially not in education. Yes, it canceled people’s views of the data they had; yes, it clarified data breach liability; but has it made expert educators into data protection experts overnight in 2018? Not at all.
A key principle of the UK GDPR is that organizations (including schools, colleges and academic foundations) process personal data securely using “appropriate technical and organizational measures”. This means that security awareness is critical.
However, many schools and colleges still lack the basics of cybersecurity. The reason that the implementation of GDPR has had a ‘big bang’ effect for schools, colleges and academic foundations is because it was very ‘blink and you’ll miss it’ and the public sector simply couldn’t be as responsive – it’s too disparate.
Consider a data leak for a moment. While the GDPR helps you categorize that data and tells you what to do with it and who you should report it to, it’s still not the nuts and bolts how businesses need to keep it safe.
For this reason, as school IT departments can try to reconfigure everyone’s view of the data they hold and their responsibilities for that data, schools and colleges simply don’t have the resources to train new staff on everything to do with cyber security. basis. And the schools do not have the means to support such changes.
The concern, therefore, is that only a truly significant breach will lead to the kind of major change in the sector that GDPR may have hoped for. A breach that resulted in significant amounts of personal information being lost, passwords being weak, critical updates not being made for months, and resulting in a potential fine from the ICO, may well be the only way to put cyber security at the top of the agenda quickly and effectively.
But teachers should remember that prevention is always cheaper than cure.
So, what does good cyber security look like for educators?
More useful for the education sector would be a model of continuous improvement, where standards could evolve in line with technological developments and schools and leaders also had time to upgrade their skills in line with these changes.
Without it, we risk teachers getting lost in a vicious circle of panic, followed by complacency and back again. Ultimately, anti-data abuse legislation has been effective in making certain technologies more ubiquitous, but it has done little in terms of social engineering to inspire real – and perhaps more effective – behavioral change. Once we have a resolution that covers the golden triumvirate (ie technology, legislation and social engineering working together), schools and colleges can begin to make lasting changes rather than temporary quick fixes.
Consider the evolution of road safety here. If seat belts weren’t used everywhere, cars and roads would be a lot more dangerous, but we’ve used technology to make roads and cars safer and improve crash protection (eg through airbags), used legislation to enforce seat belts and then we used social engineering to reduce drunk driving. We then looked first at collision avoidance, in-car technology such as anti-lock braking, lane assist and on real roads with smart motorways and speed cameras to enforce existing legislation, and then social engineering with awareness courses on speed points and penalties.
Now try to apply this to your cyber security protocol: use technology to reduce the risk of a successful attack, use legislation to effectively make these technologies mandatory, and then implement social engineering to change people’s behavior and educate people about the proper use of technology (such as using strong passwords) .
Cyber security best practices can be intimidating, especially for our users. The key is to make it simple and very relevant to them. Using strong passwords can make them difficult to remember, so to help us promote the use of password managers, this is a holistic solution, a compassionate, “we need you to do this, we know it’s hard, here’s what’s going to make it easy” approach. Add to that conversation “oh, and by the way, it keeps your Amazon account, personal email, Instagram, and Tik Tok safe,” and you have a compelling reason for people to change their behavior.
The opportunity to make a positive change is here and now
Looking ahead, GDPR is a fundamentally positive step for all sectors – not least for education. The fact that it carries the threat of fines for those who don’t comply and has the legislative weight to do so means it has a significant and far-reaching impact.
The challenge for schools, colleges and academic foundations is to understand what good cyber security really looks like. Ultimately, a baseline must be defined, but the next wave of improvements must also be given in advance so that proper planning and budgeting can be done. Educators must also facilitate and encourage a higher level of understanding among staff and managers of exactly what they are being asked to do and to what end.
Not only will this encourage consistency, but it will also enable educators to better keep up with changes in the market and technology in general. Only when we have standards that everyone needs can we hope that educators will overcome their resistance to change in cybersecurity.
Recommend0 recommendationsPublished in