Cyber Security Year 2020

March Issue


GDPR and the Education sector and how it may be vulnerable to cyber-attacks

E & L can preparing you for GDPR compliance with the right IT security in place

What you need to do


In July 2019 the ICO reported the intention to fine British Airways £183.39 million following a breach of security, which led to approximately 500,000 customers and their financial information compromised this alerted the importance of GDPR regulations.

Even though BA security breach was a malignant cyber-attack, the company had failed to put in place appropriate security measures to protect the personal information it held. This breach reinforced the importance of network security in IT systems and to ensure that adequate security measures are in place, which are both key parts of any risk management strategy.

GDPR affects the use, storage and other processing of personal data, such as information relating to an identifiable living person, ranging from a name, address, ID numbers and includes a host of other identifying information. The education sector remains vulnerable to such cyber-attacks given the sensitive information they hold (including financial information) and the number of users able to access their IT systems. Appropriate training is vital to all members of staff to ensure that they can identify potential attacks and take steps to prevent such attacks being successful.

These range from straightforward measures, such as password protection of sensitive documents. More technical measures such as encryption as a means of increasing security or secure internal platform within an organisation which controls and monitors access.

Further information in the processing of children personal data visit the ICO website

The ICO has undertaken several audits of academy trusts and other education institutions since the introduction of the GDPR, analysing their compliance with data protection law and advising on ways in which to improve data protection compliance moving forward.

To read more on recent data breaches visit:

Polish School hit with GDPR fine

Approximately 900,000 Virgin Media customers affected by data breach

Tesco and Boots hit by data breach


Cyber security is the protection of computer systems and networks from theft or damage to their hardware, software, or electronic data. This topic is becoming more important due to increased reliance on computer systems, the Internet and wireless network.

Cyber security awareness is an essential part of staff training which is known to be overlooked as human error is responsible for the worst data breaches. Due to the lack of cyber security training organisations risk their reputation, customer trust, and potentially their bottom line when employees mishandle data.

It is suggested that organisations are ultimately failing to protect themselves against cyber-attacks because even if staff are being provided with cyber security training, it isn’t adequately informing them about good practice.

Here at E&L we know this area can seem complex and time consuming. GDPR and Cyber Security training is vital to any organisation therefore we conduct bespoke training guides or training sessions. Our goal is to prepare organisations for ICO Audit accompanied by an executive summary identifying issues, potential risks and suggestions for improvement to organisation to ensure compliance.Our team will work with you to find the right balance between your business objectives, your legal obligations and IT support. We do more than just advise, we are completely hands on and available to you to ensure your business is compliant and meet customer expectations.

Statement on data protection and Brexit Implementation

The ICO released a statement following the decision to leave the EU

  • Date: 29th January 2020
  • “The UK will leave the European Union on 31 January and enter a Brexit transition period. During this period, which runs until the end of December 2020, it will be business as usual for data protection. The GDPR will continue to apply. Businesses and organisations that process personal data should continue to follow our existing guidance for advice on their data protection obligations. During the transition period, companies and organisations that offer goods or services to people in the EU do not need to appoint a European representative. We have updated our Brexit FAQs to reflect this advice. The ICO will continue to act as the lead supervisory authority for businesses and organisations operating in the UK. It is not yet known what the data protection landscape will look like at the end of the transition period and we recognise that businesses and organisations will have concerns about the flow of personal data in future. We will continue to monitor the situation and update our external guidance accordingly. Our full suite of Brexit guidance and materials, to enable you to prepare for all scenarios, is available here”.