The ICO has started to enforce GDPR and impose fines for non-compliance and many universities are still struggling to close down all their vulnerabilities – they will need to act soon, or risk being exposed to penalties.
In May 2018, the University of Greenwich was fined £120,000 by the UK Information Commissioner following a “serious” security breach involving the personal data of nearly 20,000 students, staff and alumni. It was the first university to have been fined by the Commissioner under the data protection legislation (Data Protection Act 1998) that was in force at the time.
Since then, GDPR has come into force, effectively tightening up the legislation that was already in place and introducing the prospect of much higher fines being imposed on organisations that are found to be in breach. Under the Data Protection Act, the maximum fine the ICO could impose was £500,000; GDPR allows it to fine organisations up to 4% of their annual revenue or €20 million – whichever is greater.
The changes are already having an impact. The Marriott group is being fined nearly £100m over a GDPR breach and British Airways is facing a record fine of £183m for last year’s breach of its security systems.
These are worrying developments for any organisation that is not sure it has done everything it can to protect personal data. They may be particularly disturbing for universities which, by necessity, must hold details of current and former students and staff on their systems.
Of course, by now they should have taken adequate measures to ensure that they are fully compliant with GDPR. But there are signs that some are struggling to meet all their obligations, particularly in the area of fully protecting information and closing down all potential routes into their systems and servers.
One of the major problems is keeping track of all the activities – current and historical – and the potential access to systems and subsequent exposure of data that could result from them. This was illustrated by the case with Greenwich, which involved a website that had been set-up for a conference that took place as long ago as 2004. This was not properly subsequently closed down or secured afterwards and eventually, it was compromised and used as a route into the system, through which access to personal data of some 19,500 individuals was gained.
It’s not just higher education that needs to act. According to a report compiled by RM Education and Trend Micro, a year after the regulations came into force, more than half (52%) of UK schools and colleges admitted to not being fully GDPR compliant. Click here to view the report.
Closing down all the vulnerabilities could be quite a challenge, and one that probably can’t be addressed without expert assistance and a thorough audit of current systems. This would identify and address any security gaps and allow policies, processes and technologies to be applied that will minimise any potential for data to be compromised.
To comply with GDPR, organisations need to show that they have taken all reasonable steps to secure data, make staff aware of their obligations, and have appropriate procedures in place to deal with and limit the impact of a breach.
If they do not put appropriate measures in place, and data is left open to exploitation, they are sure to come under the scrutiny of the ICO at some point. The number of complaints received by the authority about the way data is being handled has already risen significantly. In her ‘GDPR – one year on’ update, the Information Commissioner, Elizabeth Denham, noted that since the rules came into force on 25 May 2018, the ICO had received more than 40,000 data protection complaints and reports of over 14,000 personal data breaches.
These numbers are certain to rise, and universities are as likely to be the subject of complaints as any other kind of organisation. Any institutions that are uncertain about whether or not they are fully compliant with GDPR should take urgent action to close down any vulnerabilities as quickly as possible.
At a time when budgets are under more pressure than ever, a hefty fine – especially one that could have been avoided – is the last thing any university needs.
GDPR Compliance at SCC
Our GDPR Discovery Tool provides the automated means to address the fundamental GDPR challenge. It identifies and monitors the existence, occurrence and processing of personal data that is hidden in paperwork, digital documents, files, databases, metadata and free text. This can enable Universities to act now and identify vulnerabilities before it is too late.
To find out more information please click here.