The GDPR was enacted to reign in the mighty corporations of the internet. Then, it was unleashed on all organizations, large and small alike. We report the results of a multi-site field study on Italian schools, and the challenges they face to implement the GDPR while running activities full of sensitive issues without an army of legal and compliance officers. The sample study consisted of one kindergarten, ten primary schools, two junior secondary schools, and two secondary schools. We did not find evidence of the privacy paradox (spotless on paper but careless on the field). In contrast, school staff mostly crumble when by-the-book procedures cannot be implemented with the resources that they actually have. We discuss what happen on the field, from critical privacy incidents with potential impact on pupils security and safety, to 'formal' privacy incidents for which life is too short to bother-and how a risk-based approach could address them.

The GDPR was enacted to reign in the mighty corporations of the internet. Then, it was unleashed on all organizations, large and small alike. We report the results of a multi-site field study on Italian schools, and the challenges they face to implement the GDPR while running activities full of sensitive issues without an army of legal and compliance officers. The sample study consisted of one kindergarten, ten primary schools, two junior secondary schools, and two secondary schools. We did not find evidence of the privacy paradox (spotless on paper but careless on the field). In contrast, school staff mostly crumble when by-the-book procedures cannot be implemented with the resources that they actually have. We discuss what happen on the field, from critical privacy incidents with potential impact on pupils security and safety, to ‘formal’ privacy incidents for which life is too short to bother-and how a risk-based approach could address them.

GDPR in the Small: A Field Study of Privacy and Security Challenges in Schools / Ciclosi, Francesco; Varni, Giovanna; Massacci, Fabio. - (2025), pp. 1197-1214. ( 46th IEEE Symposium on Security and Privacy, SP 2025 San Francisco, US 12-15 May 2025) [10.1109/sp61157.2025.00243].

GDPR in the Small: A Field Study of Privacy and Security Challenges in Schools

Ciclosi, Francesco;Varni, Giovanna;Massacci, Fabio
2025-01-01

Abstract

The GDPR was enacted to reign in the mighty corporations of the internet. Then, it was unleashed on all organizations, large and small alike. We report the results of a multi-site field study on Italian schools, and the challenges they face to implement the GDPR while running activities full of sensitive issues without an army of legal and compliance officers. The sample study consisted of one kindergarten, ten primary schools, two junior secondary schools, and two secondary schools. We did not find evidence of the privacy paradox (spotless on paper but careless on the field). In contrast, school staff mostly crumble when by-the-book procedures cannot be implemented with the resources that they actually have. We discuss what happen on the field, from critical privacy incidents with potential impact on pupils security and safety, to 'formal' privacy incidents for which life is too short to bother-and how a risk-based approach could address them.
2025
2025 IEEE Symposium on Security and Privacy (SP)
New York, US
IEEE
979-8-3315-2236-0
979-8-3315-2237-7
Ciclosi, Francesco; Varni, Giovanna; Massacci, Fabio
GDPR in the Small: A Field Study of Privacy and Security Challenges in Schools / Ciclosi, Francesco; Varni, Giovanna; Massacci, Fabio. - (2025), pp. 1197-1214. ( 46th IEEE Symposium on Security and Privacy, SP 2025 San Francisco, US 12-15 May 2025) [10.1109/sp61157.2025.00243].
File in questo prodotto:
File Dimensione Formato  
GDPR_in_the_Small_A_Field_Study_of_Privacy_and_Security_Challenges_in_Schools.pdf

Solo gestori archivio

Tipologia: Versione editoriale (Publisher’s layout)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 272.49 kB
Formato Adobe PDF
272.49 kB Adobe PDF   Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/458450
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 0
  • ???jsp.display-item.citation.isi??? 0
  • OpenAlex 0
social impact