Vânia Neto
Education Skills Lead | Microsoft Western Europe
Like most areas of society, over the past six months the education sector has had to face challenges unlike any before.
Students thrive when they have access to personalized learning. As schools have moved quickly to adapt to remote learning, using technology to create new experiences that meet students’ needs has become more important than ever. At the heart of the new learning experience is a strong foundation of security, privacy and compliance, empowering both students and educators to work within a safe and secure environment, and open up new opportunities for innovation.
The education sector has a large, complex landscape to navigate when it comes to security, compliance, and laws like General Data Protection Regulation (GDPR) which brings with it some unique challenges for hybrid teaching and learning. It can be difficult to know where to start. A typical school handles lots of personal data – much of it about minors – and it must therefore adhere to stricter regulations when handling personal information.
To help educational institutions manage this new reality, Microsoft has put together a set of guidelines aimed at assisting with GDPR compliance. They require institutions to update personal privacy policies, implement or strengthen data protection controls and breach notification procedures, deploy highly transparent policies, and further invest in IT and training.
The purpose of the new guidelines is to help educational institutions manage the threats that have arisen out of the disruption this year, while also helping them work toward compliance.
The guidelines expand on the concrete examples and to-do lists from the existing GDPR for Education Kickstart Guide – and they need to be read in conjunction with that document. Both assets are aimed at IT staff with basic knowledge of how to manage Microsoft 365.
The new guidelines aren’t meant to be read from top to bottom, either. Instead, each topic that’s referenced in the GDPR for Education Kickstart Guide has a corresponding section in the new document which includes examples and step-by-step assistance on how to do the actual configuration.
That way, readers get a good configuration baseline to build upon for meeting GDPR compliance.
GDPR applies to institutions that have a physical presence in the European Union, organisations that provide goods and services to EU citizens, or that collect and analyse data tied to EU residents. However, educational institutions anywhere in the world can use these documents as a valuable best practice guide, since GDPR are some of the strictest rules globally.
In conjunction with the existing GDPR for Education Kickstart Guide – the new guidelines give clear best practice for how to implement GDPR. The process consists of four key steps:
1. Discover – Identify what personal data you have and where it resides
Personal data is often stored in multiple locations, including emails, documents, databases, removable media, metadata, log files, and backups. The first job is to identify where personal data is collected and stored.
2. Manage – Govern how personal data is used and accessed
The first step in managing personal data is to define why you need to collect it in the first place. Ask yourself how it helps the delivery of education. Consider how it should be gathered, where it will be stored, what entities will support that process, who should access it, and how you will enable changes and deletions.
3. Protect – Establish security controls to prevent, detect and respond to vulnerabilities and data breaches
Security is one of the key attention points in our digitalised world. GDPR requirements include physical protection, network security, storage security, computer security, identity management, access control, encryption and risk mitigation. Look at the way you monitor systems, identify breaches, calculate the impact of any breaches, then respond and recover from them.
4. Report – Keep required documentation, and manage data requests and breach notifications
A key principle of GDPR is accountability. You will need to create clear audit trails on processing, classifications, and third parties with access to personal data, including organisational and technical security measures, as well as data retention times. You may need to conduct Data Protection Impact Assessments (DPIAs). A DPIA requires organisations to identify and analyse the impact of a proposed processing activity on the protection of personal data.
One year to go: Preparing for NIS2 isn’t a compliance exercise – it’s a business opportunity
I recently read an insight from IDC that suggests addressing cybersecurity threats is the top board priority worldwide. Further, CEOs of large firms say security is their most important expenditure. It was interesting to see the international consensus here. Certainly, in my work with Microsoft’s customers in Western Europe, I know cybersecurity is very much […]
Mike Hughes
Business Group Director, Security at Microsoft Western Europe
How boards can enable trust, security and compliance in the digital enterprise: all you need to know
In a world where data and technology and are dramatically reshaping business models, trust is more than ever determining companies’ success. However, many Board members and leaders are only just starting to recognize it – and often lack a clear strategy to enable it. Commissioned by Microsoft and developed by EY, our eBook is all […]
Johanna Winqvist
Microsoft, Modern Workplace
Five ways your business can stay safe – and succeed
Get the actionable guide to business success and security.
Johanna Winqvist
Microsoft, Modern Workplace
