Despite high levels of awareness regarding the incoming EU General Data Protection Regulation (GDPR) only 22 per cent of schools, colleges and universities out of 500 surveyed felt their data protection policies were compliant.
Furthermore, 70 per cent said that if they fell foul to a data breach, they wouldn鈥檛 be able to show that the correct procedures were in place.
These findings are the result of a survey conducted by NW Security Group, a leading provider of聽security systems, consultancy and training services.
The research asked head teachers, governors, IT, security and facility managers in the聽North West to determine their awareness levels of, and adherence to, the upcoming聽GDPR.
The survey found only 22 per cent of respondents believe their data protection processes are GDPR compliant and 64 per cent are aware of the GDPR but require further information regarding its impact.
11 per cent of schools, colleges and universities have experienced a data breach and not informed the Information Commissioner鈥檚 Office (ICO) and if made aware of a data breach, 14 per cent of respondents would ignore the issue and hope the problem resolves itself.
It also found that 31 per cent of respondents don鈥檛 believe their employees and contractors are adequately trained in data protection.
The survey highlighted that only 16 per cent of聽educational institutions had fallen victim to a data breach, despite a rapid increase in attacks in recent times targeted at the sector.
This seemingly low figure, in contrast to wider industry trends, was of particular interest and might be explained by respondents struggling to identify what actually constitutes a data breach.
Above and beyond a cyber-attack, a data breach could include emailing data to the wrong recipient, openly discussing Personally Identifiable Information (PII), leaving hard-copy materials in plain view, or the loss or theft of unencrypted data. These could all lead to the loss of PII and are breaches of GDPR.
鈥淭hese findings are concerning, especially considering GDPR鈥檚 imminent deadline,鈥 said NW Security Group security and risk management consultant Nigel Peers.
鈥淭his is putting educational facilities at great risk of severe fines and reputational damage.
鈥淭here appears to still be a large amount of confusion regarding the regulations, and with 64 per cent of those who鈥檇 heard of the GDPR still requiring further information, it is clear more work is needed to propel educational facilities towards full compliance.鈥
Peers explained that employees are a school, college or university鈥檚 first line of defence and if they are unable to identify what a data breach is, the likelihood of achieving GDPR compliance is dramatically reduced.
鈥淭hat is why it was concerning to learn that, according to our survey, 31 per cent of respondents didn鈥檛 believe their employees and contractors were adequately trained in data protection,鈥 he said.
These results are synonymous with NW Security Group鈥檚 own experiences conducting Organisational Readiness Assessments for education customers seeking to determine their progress on the journey to GDPR compliance.
During those assessments, it was observed that although many facilities believed their processes were up to scratch, the reality was a somewhat different picture.
Outdated policies and a lack of documentation were frequent failings indicating low levels of GDPR compliance throughout the education sector.