The term “GDPR” carries a lot of heft at Bett, the world’s largest ed-tech conference.
Europe’s sweeping data-privacy law, which goes by that acronym, has slapped new requirements on ed-tech companies like the ones swarming this event–and on the schools they serve–to safeguard student information.
So far, many school leaders across the United Kingdom believe complying with the law is both a supreme pain and a worthwhile endeavor, according to survey results released by a British company that has been auditing schools’ compliance with the policy.
Groupcall–a company that sells data management systems, analysis, and other products–presented results at Bett of an online survey it has conducted of British government-run and private schools on whether they believe they’re hitting the mark on GDPR, which took effect last year.
Thousands of surveys were sent out in November, drawing more than 500 responses so far from schools, said Steve Baines, Groupcall’s commercial manager and data protection officer. While that’s far from a definitive picture of GDPR’s impact, it does offer insight into what schools think of the tough new law, now that they’re trying to meet its demands.
GDPR, a European Union law also known as the General Data Protection Regulation, increases requirements on schools to inventory the data they collect, sets limits on who can access sensitive personal student data, and requires schools to obtain consent from parents for different kinds of data use. It also requires schools to make sure their vendors are in tune with the law, and that they assign data protection offers to monitor compliance.
Among the findings from Groupcall’s survey of British schools:
- 70 percent of school officials believe GDPR has been “hugely onerous” in creating extra work, yet 63 percent of those surveyed believe the work they’ve done on the policy has been worthwhile.
- One in 12 schools leaders surveyed say they still don’t have a data protection officer in their schools, despite a requirement in GDPR that they do so.
- Overall, school officials give themselves a 6.9 score out of 10 when asked to rank their GDPR compliance. Twenty seven percent of school officials surveyed say they see their compliance as “good,” and another 46 percent say it’s “fair.” Twenty-one percent gave themselves a negative score, and 6 percent say it’s critically poor.
- 87 percent of schools say they believe they’re complying with GDPR’s policies on obtaining consent before making use of student data. They ranked their compliance with data-consent rules as a 7.93 out of 10.
Baines, who has led audits of GDPR compliance in British schools, had a different view of districts’ performance on that metric.
“I hate to break your bubble, but you’re not doing consent well,” he told the attendees at his session, held on the Bett showroom floor.
In addition to doing audits, Groupcall has trained thousands of employees of British schools about data privacy in the year and half since the law took effect, Baines said.
One challenge that often trips up schools trying to comply with GDPR is the requirement that they not only comply with the policy, but show evidence that they’re doing so. (That requirement, which one consultant recently told EdWeek Market Brief is like a student being told, “show your work,” also poses a challenge to ed-tech vendors.)
Yet despite schools’ shortcomings with GDPR, Baines said he’s optimistic that many are on the right path.
British schools “actually do a pretty good job of protecting the data they hold,” he said in an interview. “They always have.”
In fact, he says he would much rather be a school attempting to meet GDPR than an ed-tech company trying to do it.
“Businesses tend to pay a bit of lip service to things, and say, if I’ve got a couple of policies in place, I’m OK,” he said. “Schools tend to have the policies — and then follow through.”
- Inside GDPR: Webinar Breaks Down Law’s Implications
- Europe’s New Data-Privacy Law: What the GDPR Means for Ed-Tech Providers