GDPR is coming and schools need to be clear on what it means for them, as well as how to handle it ahead of when the regulations come into force on 25th May 2018. Currently, it seems that confusion reigns over what schools actually need to be doing to ensure they can comply with the new GDPR regulations – not just by that date, but sustainably thereafter.

At a recent webinar on ‘Practical Insight on the GDPR for schools’, Arena’s Neil Maude shared some of the most relevant features of the new data protection regulation for schools, the potential impacts, and next steps. This was followed with a survey to understand the state of play for education on individual schools’ journeys towards the May 2018 deadline, which has elicited some interesting insights. For example:

We pose this question to Lynne Taylor, cofounder of data protection specialists GDPRiS:

With the deadline to be compliant with the new General Data Protection Legislation (GDPR) just around the corner, schools are scrambling to get prepared. Whilst the GDPR does represent a change from the Data Protection Act, achieving compliance may be simpler than you realise. Groupcall, in association with GDPRiS, has put together a short guide for schools to follow – it’s divided into 12 manageable steps to walk you through the list of tasks needing to be addressed.

With 30th November marking Computer Security Day, it’s important for schools to know how to fully secure themselves against cyber-threats. Alan Mackenzie, a veteran e-safety consultant, talks us through the top 10 points school staff need to consider when it comes to staying e-safe.

Security has been a hot topic this last couple of weeks, with the most reported story being that of the website hosting live webcam streams of hundreds of devices whose account details had been hacked. The word ‘hacked’ is misleading in this respect, as it suggests a certain amount of effort by the perpetrators, however one could assume that many (all?) of those devices had been left at their default settings, including username and password.

Getting computer security right in a school is much trickier than doing so in a business. How much money can you spend? How much time can you devote to the problem? Should you have a regime in which you enforce, or merely guide? How do you win the cooperation of parents, principals and students? Security expert David Booth discusses the principles of information security for schools.

[As seen in the June 2014 edition of our magazine]

1. Understand Your Risk

Identify your most sensitive information and mark documents containing this data clearly as “confidential” or similar. Decide who is responsible for managing the risk. Work out how much risk you face and how much risk you want to take. Allocate security responsibilities clearly to other staff and ensure staff understand the importance of working securely.

The rise in the popularity of BYOD in schools raises a number of data security issues for school leaders to consider.

What is BYOD? There has been a huge rise in the popularity of hand-held and tablet devices in the last few years, and some schools may allow staff to use their own personal devices to access school systems. This is commonly known as Bring Your Own Device, or BYOD, and there are advantages in allowing staff to provide their own IT equipment. However, the use of personal devices to access school systems raises a number of questions regarding the school management’s duty under the Data Protection Act (DPA). This is particularly so if the device is used to access the school MIS (e.g SIMS) or to hold any kind of staff or pupil information. It is important to remember that the school, as data controller, is still responsible for the security of the information; regardless of the ownership of the device used to access or process the data.

The risks - that BYOD device is owned and maintained by the user. This means that the school has little or no control over how, where or when it is used.