After decades of relative neglect, online privacy concerns have become increasingly important in the last few years. This year, especially, has brought privacy on the forefront of public discussion, while a host of state and corporate initiatives have been launched to address the issue.
Chief among them, the European Union’s “General Data Protection Regulation” (GDPR for short), which comes to full force on May 25th, 2018.
The new regulation aims to increase the transparency and accountability of companies processing personal data, to foster a “privacy culture” on the Internet, and to clarify and protect the privacy of “natural persons” (in other words, of regular users).
In this post, we’re going to examine GDPR’s set of laws and guidelines, both in their general implications and in the context of corporate and commercial eLearning. We’ll also share some general advice and tips to help you ensure that your training program is GDPR compliant.
Let’s start with the two most important questions.
# Who Should Care?
Any company offering services to EU citizens or tracking EU citizens’ behavior (e.g. through online profiles, cookies, and other such means) is required to comply with GDPR — regardless of whether it’s an EU-based company or not.
# And why?
Because a non-compliant company can face fines of up to $20 million or 4% of its annual turnover.
# GDPR Terminology
Before we dive any deeper, here is some basic terminology you need to know to fully understand the GDPR:
- Processing: practically anything a company might do with our personal data (collection, organization, storage, adaptation, transmission, sharing, and so on).
If a company handles some EU citizen’s data in any way, that qualifies as processing.
- Data Controller: Companies that collect, store, or manage individuals’ data for some particular purpose (and which determine the means by which this collection takes place).
Your bank, for example, is a data controller. It collects your data to provide you with banking services. In general, a business X acts as a data controller through its collection of the data of its employees or customers.
- Data Processor: A company that stores, or processes user data on behalf of other companies (data controllers).
When company X uses TalentLMS to train its employees, it acts as a Data Controller, and Epignosis is the Data Processor.
In other words, Data Controllers are companies that have a primary purpose to collect data, and Data Processors are companies that offer data processing, storage, etc. as a service to the first. The Data Processor cannot use the data it was trusted with for any other purpose than what the Data Controller contracted its services for (TalentLMS, for example, might only use learner data as part of their training program).
With us so far? Great! You’ve already understood one of the trickiest distinctions in the new regulation.
- Data subject: a natural person — such as a TalentLMS learner or Instructor.
- Personal Data: Any information relating to a data subject such as name, email, online identifier, and so on.
- Consent: An informed and clear indication by a data subject that they’re okay with a specific collection and processing of their personal data. (e.g. deliberately clicking on an approval button after having read a detailed description of what your service provider is going to do with your data).
# Does GDPR mean that you’re required to get an EU-hosted LMS?
No, not at all.
The new regulation is not meant to hamper international Cloud service use by EU citizens — just to increase its privacy, security, and accountability.
Towards that end, EU-businesses are allowed to use LMS platforms hosted in any country, as long as the said country (and said platforms) guarantee an EU-approved level of protection.
Specifically, transfers of personal data outside the European Economic Area (EEA) “may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection. Such a transfer shall not require any specific authorization.”
The Privacy Shield framework (used by all major cloud service providers) has been specifically created to satisfy the above criteria.
# Call for Action – What to Do
If your company uses an online LMS for its training, it is important to understand that GDPR compliance is a shared responsibility between you (the “controller”) and your LMS provider (the “processor”).
As a controller, you set the goals of the processing, control the data that will be used, and the data subjects that will be subject to the processing (in an eLearning case, your learners, training administrators, and instructors).
# Things you must do (to be GDPR compliant)
- Ensure and be able to prove that you handle personal data in accordance with the GDPR principles of fairness, transparency, confidentiality, accuracy, integrity and lawful processing.
In other words, you should not overreach in your collection of personal data (don’t collect more than you need for your specific purposes), and don’t use the data for purposes other than the ones that they have been collected for.
- Create a map of your data, their sources, the systems where they are stored, and the respective data flows and access rights, making sure that data privacy is preserved throughout.
- Have appropriate data protection and retention policies and controls in place for the information of the data subjects you manage.
Don’t play it fast and loose with data protection (e.g. leaving your users’ data open to the web at large), and don’t keep data around for longer than you need it.
- Ensure that you keep accurate data records and provide the means for their update and correction.
- Keep any personal data that your company collects out of reach of people who have no business near them. Limit access to employees that absolutely require it to conduct their business.
It makes sense, for example, for an eLearning instructor to have access to their learners’ test scores. Not so much for your accounting trainees.
- Use processors that are GDPR-compliant, adhere to your instructions as the data controller and provide guarantees of GDPR conformance.
The DPA should unambiguously specify your instructions (as the Controller) that the Processor (LMS service) should follow, and bounds both parties to meeting your GDPR-related legal obligations.
# Things your LMS service provider should do (to be GDPR compliant)
- Provide the means to and assist you (as the Controller) to satisfy the data subjects’ privacy rights through the LMSs features.
These rights boil down to: the right to be informed (that you have their data), the right of access, the right of data rectification, the right to be forgotten, to lodge a complaint, restrict or stop processing, and to obtain their data in a structured format (e.g. CSV download).
Data subjects also have the right to object to marketing, and to not be subject solely to automated processing. (Additional details on this are provided at the TalentLMS GDPR compliance page).
- Bump up their security infrastructure and make sure that they have the technical and organizational measures in place to ensure an adequate security and privacy level.
- Appoint data privacy staff (or a Data Protection Officer if required) that can be easily reached by customers, e.g. through an email address clearly published on the service’s website.
This means documenting the scope, nature, types of data, retention policy, list of sub-processors used (e.g. for Cloud hosting or payment processing), controller’s instructions and international transfers so that the LMS data subjects can make informed decisions on using the service.
- Give users a way to drop questions, lodge complaints, or exercise any of the rights provided by GDPR.
- Review any sub-processors that they use, and ensure their compliance with privacy laws, and the flow-down of security and privacy requirements end-to-end.
- Provide the legal justification for the processing operations and data transfers taking place.
A service that sends user data from the EU to the US, for example, should have a Privacy Shield certification or some legally approved Binding Corporate Rules governing the transfer and management of said data.
- Support configurable role-based access to personal data and security privileges (TalentLMS had those before it was cool — or legally binding in the EU).
- Allow the creation of views on the LMS that can hide information that needs not to be exposed system-wide (ditto).
- Comply with GDPR certifications and approved Codes of Conduct.
To this end, TalentLMS through its mother company Epignosis has joined the EU Cloud Code of Conduct and plan to get certified in the coming months, as soon as such accreditation is offered.
- Have confidentiality terms in place for the personnel accessing personal data as part of their work.
- Commit to collaborating with the controllers and the relevant supervisory authorities.
- In case of data breach have a policy and plan in place to notify the supervisory authorities and affected data subjects within 72 hours.
- Support data export of the LMS data in a common format, as well as the possibility to transfer the data to another provider.
(TalentLMS, of course, supports CSV/Excel and SCORM exports, among other options).
- Periodically review, update and test the effectiveness of the policies, procedures, and controls in place.
Again, it’s your responsibility, as the controller, to verify that the above is indeed supported by the LMS service you choose.
# GDPR and Lawful Processing
To be lawful for a company (and its data processors) to store and process personal data, one or more of the following conditions should apply, as specified in GDPR (Article 6):
(In other words, your rights as a data subject trump the data controller’s rights).
# GDPR and eLearning
Now that we’ve discussed the general GDPR requirements (through a few eLearning-related examples), we’ll shift focus to two eLearning peculiarities regarding GDPR that you should be aware of.
National limits to employee data processing
GDPR (Recital 155) allows for national legislation to specify ‘works agreements’, imposing specific rules on the processing of employees’ personal data in the employment context.
If you operate in such jurisdictions (or have offices and employees all across the EU), you should keep an eye open for specific national legislation that may impact your policies and procedures as a data controller for your employees.
Issues of consent
The imbalance of power between employer and employee may challenge simple consent as a legitimate basis for processing employees’ personal data (whether for eLearning or some other context).
Adding training as a contractual term with your employees will serve as a more solid justification for managing their data for eLearning or any other legitimate business interest you may have.
A Final Note: Check with your legal advisors
This article is meant to serve as an introduction to GDPR, and an attempt to raise awareness over GDPR issues that are typically overlooked in the eLearning context.
While we’ve tried to cover all major aspects of the new regulation in this post, we did so in an easy to understand manner that misses a lot of the legal nuances and intricate details of the actual legislation.
To verify your GDPR assumptions and action plan, check with your compliance, legal services, DPO, and ICT managers.
P.S. For a breakdown of the complementary aspects of the regulation that are only referenced by name in this article (such as an elaboration on the data subjects’ rights), check TalentLMS’ GDPR compliance page. (You may also refer to the TalentLMS GDPR Q&A page for some GDPR-related FAQs, pitfalls, and common misunderstandings).