By Jane Larsson

Data protection found its way onto my list of responsibilities, and it got there unexpectedly. Like many leaders, I began to pay closer attention in 2018 when a new law, the European General Data Protection Regulation, or GDPR as it is commonly known, was about to be implemented.

Initially, I wondered, just how much time are we going to have to devote to this? And, even as we prepared at CIS, I didn’t really grasp the impact it would have or the time I would need to devote to managing it. Soon it began consuming the time of my key leaders, in fact, everyone at CIS. Some CIS members contacted me, asking, “Will CIS be providing us with guidance on this?” At that point, I realized we were going to need professional guidance from data protection experts as we began to discover the long global arms of GDPR.

All of us share responsibility for managing data, knowingly or unknowingly, personally and professionally. I even wonder whether it is still possible to separate the two due to the sheer volume of information available as we access the internet and use our mobile devices. Let’s consider some of the information managed in schools, from student medical records to parent information and school financial accounts—all this data in digital form is potentially at risk. A whole new world of responsibility is now in our hands.

In September, at our office here in Leiden, we led our first-ever Data Protection & Safeguarding Workshop in partnership with our colleagues at 9ine: a company exclusively devoted to data protection and cybersecurity in education. As I looked at the list of people from CIS member schools who were registering to attend, the breadth of their responsibilities was evident: leadership, teaching, IT, counselling, psychology, business management, marketing—signaling the many touch-points for managing data in our schools. Alas, 9ine informed us, schools (and universities) are easy targets with a ton of data to mine, sharing it with a range of third-party companies (curriculum, assessment, student admissions and transfers) not to mention the biggest challenge of them all, students readily sharing their personal data on their own devices, often images, often inappropriately. The complexity of responsibility spreads.

During the workshop, the learning curve was visibly steep; attendees were not checking their phones, they were paying close attention as we began to think more critically about the ways we may be opening ourselves up to risk and how to manage it. We learned how easily 9ine has been able to hack school systems (with their knowledge and permission) and we were shocked to read a list of illicit sites browsed by staff and students using one school’s systems.

My colleague Chris Durbin asked: "Should we teach data protection awareness to five-year-olds? What would that look like?" We need to consider how to protect our school systems, and how we teach our students to manage how they communicate. If you are already taking action in your classrooms to address these risks with students, please let us know what you are doing so that we can share your approach across the CIS community as we each strive to prepare global, digital citizens.

Like many of our members, we are building our capacity and skills for data protection. In doing so, we are discovering how closely it is intertwined with safeguarding and child protection. We are grateful to find support via 9ine, who are available as CIS Affiliated Consultants to help our members too. We now have a Data Protection Officer at CIS, our staff are undertaking training, our systems continue to be reviewed and strengthened, and we have a clear process in place to alert the right people to a potential breach so that we can take immediate action when needed. This important work in collaboration with 9ine will continue as we create and deliver resources and training to help our members address this substantial responsibility.

Jane Larsson is the CIS Executive Director. Follow her on Twitter: @CISJaneLarsson

Related content:

• Our members can register for the CIS data protection & cybersecurity accreditation tool created by our partners 9ine
• Blog: I do. I will. I accept. I agree. I have read.
• News: Data protection and cybersecurity: CIS and 9ine team up to help schools improve
• Find out more about CIS Affiliated Consultant and specialist in data protection and cybersecurity for schools Mark Orchison