We’re coming up to two months of the GDPR being in force across the European Union and the impact it is having is already visible with the number of reported data breaches across the UK increasing substantially.
Throughout 2017, there were 3,325 breaches reported to the ICO. In the two months since May 25, this has increased by an amazing 600% with over 1700 breaches being reported this month alone.
Education is already a big culprit
In 2017, around ten percent of reported data breaches came from the education sector putting it third overall. Since the 25th of May, education has moved into second place (behind the healthcare industry). If this reporting trend continues, then the sector could potentially be averaging 12 breaches a day up and down the country – a substantial amount.
The most common data breach in education? Simple. It was people sending personal information to the wrong email address. A basic error, but one that most of us have made (albeit, not necessarily with personal data). The second highest breach reason was lost or stolen paperwork, while third was loss of unencrypted devices and fourth was posting or faxing personal information to the wrong recipients.
Examples of recent breaches
Fortunately, none of these were in education. But it gives you a good idea of different types of breaches… and the potential fines attached.
- Gloucestershire Police were fined £80,000 after sending a bulk email that identified victims of non-recent child abuse.
- The Independent Inquiry into Child Sexual Abuse (IICSA) were fined £200,000 after sending a bulk email that should have been ‘bcc’ to 90 recipients about a public hearing. This allowed all recipients to see each other’s information, identifying them as victims of child sexual abuse!
- West Sussex County Council sent bulk emails to residents who commented on plans to build an incinerator in Horsham but did not ‘bcc’ the email addresses so again, all could see each other’s email addresses etc. It was believed to have been sent to in excess of 1,000 recipients.
- Portsmouth City Council could face hefty fines after it was discovered that for the past two years contractors have not been obliged to erase data when removing old computer drives.
For schools still working through the GDPR process, we strongly encourage you to check out our Ongoing Guide to GDPR Compliance for schools and trusts. After training over 8000 school leaders in data protection earlier this year, we also have some very exciting plans in the works for further GDPR training and ongoing compliance for schools… Watch this space!