Data Protection in Universities under GDPR

Educational institutions and their data protection departments handle and process a huge volume of personal data. Confidential information about employees, students, and applicants is often stored in databases with an extremely low level of data protection. Most institutions pay too little attention to potential dangers of a data breach. Along with that, the budgets for data protection in universities leave much to be desired.

But unfortunately, an effective approach to data management and security is a rare find among educational establishments. The attention is mainly paid to the things that are more obvious but less risky. According to Breach Level Index Report, in 2015 nearly 100 breaches were recorded in education. This number is stunning if to take into account that the total number of breaches that year was around 970. More than 10% of all breaches occurred in universities.

But it’s time to remember that in the digital era, information plays a vital role. It is the core of our entire lives, and lack of data protection has the potential to damage businesses, industries or even destroy human lives. The indifference to data breach issues is inevitably becoming obsolete. And when General Data Protection Regulation (GDPR) enters into force, this issue will be ignored no more.

“We’re all going to have to change how we think about data protection.”
Elizabeth Denham – UK Information Commissioner

Why Data Protection in Universities Matters?

Why is the data protection in universities so important? It’s simple, the concentration of vital data in the educational institutions is so high, that possible breach would definitely lead to reputation damage and losing a lot of money.

The list of sensitive data in educational establishments can vary depending on their specialization, size, and functions. But, first of all, university data protection systems have to take care of these three crucial aspects:

  • Staff and students personal information. Names, addresses, emails, phone numbers, emergency contact details, dates of birth, academic qualifications, details of any disabilities and criminal convictions, etc.
  • Payments data. Information about transactions, payments recipients and senders, etc.
  • Scientific research data. Just think about it: how can intellectual leaders hold their positions if they lose the important data and scientific results? These people should take care of the mankind knowledge, not of potential fraud and cyber attacks.

University data security systems face the same issues and risks as any other organization. For example, two most common sources of risks both for universities and any other organization are poor passwords and downloading files from unsafe websites. Consequently, data protection rules in universities are similar to those of any other organization. There is the data protection act that mainly regulates what is personal data and how to protect them.

But also there are some specific considerable weaknesses that attract hackers’ interest in educational institutions and need to be solved as soon as possible. Here they are.

| Read also: 10 Steps to Eliminate Digital Security Risks in Fintech Project

1. Inconsistent Regulation

There is no approved set of official rules to regulate university data protection. It should be mentioned that there are some particular regulations, like academic records regulation, PII regulation and PCI rules, or medical records regulation, additionally, national laws have an impact on university data protection guidelines. But these pieces of legislation are not put together into a unified system managed by a single organization

Although there are a lot of institutions that are under these regulations, many universities lack proper management and IT governance. Some of the institutions have their own departments responsible for data protection, others hire a systems center data protection manager to take care of this. Mainly, this position is taken part-time by students that work with no proper management. What is worse, there is also the third type of institutions that ignore potential risk completely.

2. Different Sources of Risk

University is an institution with a large number of people who work and study there. This means that an unlimited number of potential risks can arise from any party. Additionally, universities share the information with other institutions or, in some cases, share the whole databases. In such case, it may be unclear which party is responsible for data protection. Combined with lack of regulations, this factor makes data theft a lot easier.

The danger of such open collaborative culture is described by another significant fact. Universities with unprotected data create perfect conditions for hassle-free IP theft. Hacking is a good old way of digital data stealing, but social engineering is effective as never before. Some simply visit scientific conferences in order to get the access to the unprotected information and steal it. In this case, sensitive IP is the main point of interest that can be reached within minutes.

3. Financial and Reputation Loses

The most effective way to start a conversation about information security importance with universities is to describe potential money loss. As the experience shows, it is cheaper to prevent potential theft than to detect it and fix. Breach of Maricopa College in 2013 costed $26 million. In 2016, the total cost of data breaches reached $4 million. But there are always ways to save money: a CISO appointment can save around $7 per record, and extensive encryption can increase savings to $13 per record. Unfortunately, the reputation cannot be quantified, that is why one step is not enough.

The vital importance of educational establishments and data collected there is unlike anything else. And with such a number of obvious weaknesses, it is clear that data protection in universities is crucial to be not only actively discussed but improved in the shortest terms. Solid powerful framework with a defined set of rules regulated by a single authorized organization is the first step to solve the problem. An effective plan will allow avoiding mistakes and pitfalls and empower the industry in general. And and in this context, General Data Protection Regulation is what our universities and whole society need.

| Read also: Ransomware – to Pay or Not to Pay

What Is GDPR?

GDPR stands for the General Data Protection Regulation. It implicates institutions, businesses and individuals and is able to help the EU meet modern cybersecurity requirements. Nowadays we face unbelievable demonstration of ignorance and indifference to ignore data protection. This is why GDPR entered the stage.

Considering the implementation of the new regulations, 3 important dates should be mentioned:

  • January 2012, when data protection reform was planned;
  • May 24th, 2016, when GDPR was passed;
  • May 25th, 2018, when it is set to come into force.

GDPR is a positive shift the universities have been waiting to enter into force for almost 2 years. But what does the GDPR implementation actually mean?

In essence, GDPR is able to provide people with complete control over their personal data, how it is stored and used. GDPR enforces the citizens’ fundamental rights.

Furthermore, GDPR has the ability to considerably simplify digital market rules for business. The European Commission claims in its report that GDPR can save €2.3 billion. Data protection reconstruction will strengthen Europe, make it safer, more strong and trustworthy.

Let’s take a brief look at the key new regulations imposed by GDPR:

  1. Regulation is applicable if the organization collects data from the EU citizens and/or is based within the borders of the European Union. Everything including a person’s name, email, address, photo etc. is regulated by GDPR.
  2. The single set of rules is used to regulate the processes in all of the EU countries. A Supervisory Authority (SA) fulfills the administration tasks, and all of the SAs are coordinated by the European Data Protection Board.
  3. Any business structure development must include the design of data protection. This is called data protection by design and by default.
  4. The lawful basis for processing personal data is consent, and the reasons to collect data and to process it are required to be clearly explained.
  5. Data Protection Officer (DPO) is responsible for IT processes management, data security and business issues within the organization.
  6. GDPR introduces pseudonymisation – a special type of personal data transformation.
  7. The data controller must notify the SA about the data breach no more than 72 hours after becoming aware of it.
  8. The citizens have the full access to their personal data and the details about its processing.
  9. The citizens can request erasing personal data related to them.
  10. Personal data can be transferred from one electronic system to another by its owner. This is possible without any data controllers to prevent it from happening.
  11. Data processing activities are recorded. Each record includes the information about the purposes of processing, categories involved and time frames. SA can get the access to any record upon request.


| Read also: Strong Customer Authentication According To PSD2: Summary & Checklist

How Will the GDPR Affect Colleges and Universities?

The profound impact of GDPR on universities cannot be underestimated. Implications can be described by the way processes will be organized. GDPR includes 4 crucial points that have to be recorded:

  1. The reason why data was collected;
  2. The way it was collected;
  3. The person or group of people who have the access to it;
  4. The conditions to remove or anonymize it.

These points are the core of GDPR in high education institutions. The accurate and clear descriptions of each of them are what will lead to the successful GDPR implementation.

But what is so brand new that GDPR brings to how universities and colleges process personal data?

  • Accountability. Institutions become more accountable upon implementing GRDP. Records of data and their processing, detailed documentation and strict set of rules for managing them create perfect conditions for improving data protection.
  • Easy Information Cycling. GDPR provides the interested parties with the opportunity to share the information in a smooth and seamless way by adhering all of the rules.
  • Up-to-date Approaches. Formal approaches are going to be left behind soon. Data protection design is required to be carried out at the very beginning of every project or process as a mandatory stage of its lifecycle.
  • Trustable Consent. Now, the institutions are obliged to demonstrate pieces of evidence that the information was given freely and the person gave consent for its collection and processing. By the way, this will make many services illegal, such as public places Wi-Fi collecting users’ data without their consent etc.
  • Increase of Trust. Recently, lack of security has become sharply criticized. Each failure is discussed dramatically in media, and institutions’ reputation can be lost forever if something accidentally goes wrong. GDPR is aimed at providing people with all the necessary information about data processing and making the institutions follow the set of rules that increase awareness and reliability.


| Read also: Top 7 Tips How to Protect Yourself from Phishing Scams

How The University Can Get Ready To GDPR – 7 Obligatory Steps

Some of the institutions started preparing to GDPR intensively almost 2 years ago when it became obvious that there was no way to avoid innovations. Nevertheless, many leading businesses and universities have done nothing yet, even though they are impressed by the potentially positive GDPR impact. These months need to be absolutely devoted to proper preparation for the new regulations in order to implement the rules in the shortest period of time, get used to them and avoid future risks, fraud or legal issues.

So, what actions should universities take? There are 7 steps to help universities comply with the GDPR regulations.

Step 1. Awareness

You must know for sure what new regulations are about, how they are going to influence your operating processes and what it means for your institution. This GDPR preparation step requires deep research on the topic. Study your current data processing system and compare it to the upcoming requirements. Maybe you have a good preparation basis and don’t even know about this. Additionally, make sure your staff knows that a new law is introduced and let them know how the changes are going to impact their daily job.

Step 2. Data Protection Officer

When it comes to GDPR preparation, one of the crucial moments is to hire a competent DPO. This person will manage the process and take full responsibility for it, train the employees and track any suspicious activities.

Step 3. Individual Rights

GDPR extends the list of individual rights. Now, the subject of data has the right to access data, correct the inaccuracies or even delete some information, prevent contacts from being used for marketing purposes. Also, a person can forbid performing automatic operations within the profile and allow data portability. Define what steps are necessary to take in order not to violate people’s rights.

Step 4. Consent

What do you know about the way your institution currently collects personal data? Review your usual practices and find out if they have something in common with innovative ones. The consent must be freely given and indicated by the positive agreement.

Step 5. Data Breach

Learn about data breaches and the rules to inform the Supervisory Authority about them. Make sure your institution has the capabilities to detect an issue and let the affected person know about it.

Step 6. Marketing Campaigns

In just a few months, your institution will not be allowed to use personal data for marketing or promotion purposes. Check what kind of campaigns your organization is running or participating in and decide how they will continue.

Step 7. Review

Even if it seems like you have done everything you can, review the taken actions and make sure the potential issues are prevented or there is a defined plan of what to do in case of any GDPR emergency.

There are some other important things you need to take care of beforehand. Take a look at the following questions to keep up with other ways to prepare the new GDPR universities practices or update the old ones:

  • Are you familiar with Wi-Fi security?

Confidential Wi-Fi code can keep your whole system safe and sound. Use WPA-TKIP for the corporate network to be fully confident data is protected well.

  • Is your staff allowed to bring their own devices?

Home office and BYOD practices are quite risky. The lack of control over the devices and person’s activity can lead to fraud. Take care of remote access security and think about device management software installation. Moreover, data protection best practice guidelines claim that multi-factor authentication for remote access is of great help for security.

  • Do you know about cyber insurance?

Nowadays, insurance firms offer their customers a new type of service called cyber insurance. Software solutions are developed to fight cyber attacks, as well as to prevent hacking attacks and data theft. Cyber insurance is useful in case of large-scale security breach. Insurancers pay out money: attractive and convenient funding mechanism created by service providers enables to recover cyber-losses.

These handy tips can help you to get ready for the great changes that are coming and make GDPR influence your institution positively.

| Read also: The Pros and Cons of Different Two-Factor Authentication Types and Methods

The Bottom Line

Here is what we’ve covered in this article. Use the links below to easily navigate it:

What is the data protection? It is a hard and complicated process that plays the crucial role in the era of digital innovations. Data protection acts are especially important for educational institutions, as those are the places where the future of the world’s science is born. The European Commission created the plan for data protection enhancement, and GDPR implementation has a special place in it. Each university needs to prepare carefully for the future changes that are getting closer day by day. Failure is too expensive. So get ready for the upcoming regulations properly and bring your institution to a brand new level of leadership and trustworthiness.

Read more

Author: Maxim Oliynyk

He worked in the IT industry for many years. One fine day, he had an idea to create a convenient and affordable two-factor authentication service. He gathered a group of talented like-minded people. A bit of time + a lot of work + a lot of money + a million experiments. And – voila! Protectimus is born! After a little more time and effort, not only is Protectimus not in any way inferior, it is often superior as compared to former industry leaders.

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from Protectimus blog.

You have successfully subscribed!

Share This