UK universities risk fines due to data safeguarding failures

data-universities-risk-fine-original-Image by Gerd Altmann from Pixabay

A new report by digital agency 7DOTS has revealed a shocking failure of Universities and higher education institutions to comply with data protection laws.

The study, based on a detailed analysis of 335 Universities and Higher Education colleges, highlights a startling 81% non-compliance rate with current General Data Protection Regulation (GDPR) standards.

The widespread compliance failure revealed by 7DOTS raises significant concerns about the safeguarding of student and other website visitor data and the potential risks of hefty fines due to non-compliance.

Universities risk fines for data safety failures

Last week The UK’s Information Commissioner’s Office (ICO) warned it may impose harsh penalties and publicly name websites that fail to make changes to their cookie consent policies.

The research, conducted using a custom cookie compliance testing tool developed by 7DOTS, reveals a strikingly low (32%) implementation rate of Consent Management Platforms, which are a crucial component for GDPR adherence.

The prevalence of Google Analytics on 82% of non-compliant sites and the utilisation of paid social platforms with embedded tracking mechanisms were identified as significant contributors to lack of compliance.

Alongside Google Analytics other well known storage vendors frequently present on non-compliant sites are Facebook, Google, LinkedIn and Tik Tok, meaning visitor data is being sent to these 3rd-party platforms without their consent. This could result in these visitors being  targeted for advertising despite not giving permission.

Even among the 109 institutions employing cookie consent management platforms (CCM’s), a staggering 66% were found to be inadequately processing website visitors’ data in alignment with GDPR standards.

This is likely being caused by web editors hardcoding scripts/assets (e.g., YouTube videos) into websites, preventing Content Security Policy (CSP) restrictions on loading.

This improper configuration of the Consent Management Platform (CCM) and Tag Management Platform (TMP) means that even if users decline cookies, communication between CCM and TMP is lacking, rendering tracking preferences ineffective as data is still being shared with third parties.

These practices not only violate GDPR (and potentially hundreds of other regional and country specific) regulations but also pose a serious threat to the privacy and data rights of students and other website visitors with tracking of this nature now expressly prohibited.

The GDPR, designed to ensure the responsible handling of personal data, imposes stringent rules on organisations, emphasising the need for careful and lawful processing of individuals’ information.

Failure to comply not only indicates a lack of awareness or disregard for GDPR guidelines but also exposes institutions to substantial fines.

Last week Stephen Almond, ICO executive director for regulatory risk issued a warning to websites that consistently fail on cookie consent, adding that the regulator will clamp down on those who don’t comply.

Recent enforcement actions by data commissions across Europe, such as the record 1.2 billion euro fine imposed by Ireland’s Data Protection Commission on Meta Platforms Ireland, underscore the severity of non-compliance repercussions.

Nick Williams, Demand Generation Director at 7DOTS, said: “The results of our study reflect a concerning pattern of non-compliance within higher education institutions, raising significant questions about the safeguarding of student and other website visitor data.

“The lack of implementation and proper utilisation of GDPR-mandated measures indicates an urgent need for immediate action. The threat of fines is looming larger than eve/’t, particularly given the ICO’s announcement last week. The clock is ticking.”

He added: “Too many digital experiences are built without thinking about the needs of the end user, creating frustration.

“Any captivating digital experience needs to start from a place of trust and students today will want to know their data is being protected.

“This research should serve as a wakeup call for Universities to prioritise data protection and compliance.”