The EU General Data Protection Regulation (GDPR) was designed to harmonize data privacy laws across the EU and protect citizen data. Essentially, the laws ask companies who collect data to be very clear about obtaining that consent to collect data. It also requires companies to allot certain rights to citizens whose data they have collected. These laws go into effect May 25, 2018.
The GDPR applies to companies either based in the EU or who do business in the EU. The GDPR places responsibility on Controllers, rather than Processors, of data. The Controller determines the use of the data while the Processor simply processes data on behalf of the Controller. In the case of e-learning, the Processor would be the LMS vendor (like us, eLogic), while the Controllers are the clients (you!).
While every client must consult with their legal team on the best ways for them to become compliant, we know that making big adjustments in the way you process data can be hard. We’ve outlined some of the ways eLogic Learning is supporting our clients in the way they handle data.
Consent for Use of or Processing of Personal Data
One of the most important requirements of the GDPR is that companies must provide users with clear, easy-to-understand language of consent to collect and process data before collecting said data. The consent information cannot be lengthy or difficult to understand – it needs to be simple as well as distinguishable from other terms and conditions. Users must opt-in for companies to collect sensitive data, and it must be easy for them to opt out. However, for non-sensitive data, “unambiguous” consent suffices.
One of the most common ways that clients choose to obtain consent from users of their learning management system (LMS) is the End User License Agreement (EULA) feature. The EULA is presented to the user when they first create an account or login. The user must accept the EULA terms before moving forward and using the LMS. The client can put client-specific legal language in the EULA so that they can be sure to be compliant with the legal language that applies to that company, GDPR or otherwise.
Another way that clients obtain consent is via dynamic content areas within the LMS that can be filled, again, with the client’s legal language.
A data breach is a very serious event that can put user data at risk of violation. A breach notification is now required within 72 hours of a data breach if it’s likely to “result in a risk for the rights and freedoms of individuals.” Data processors are required to notify controllers of a breach. In e-learning, this means LMS vendors must notify their clients. eLogic Learning will notify all clients impacted by a data breach via email as soon as we are aware of it.
Right to Access
Users have a right to be informed about what personal data entities may have. The “right to access” portion of GDPR gives users the right to access their own data. They are permitted to ask what data is being processed and for a copy of the data. The Controller should provide this free of charge. Again, the EULA, dynamic content area, or client content page can be used to give users this access.
Right to be Forgotten
Users, especially when they are no longer using a system, may want to delete any personal data in order to ensure their data remains under their control, and so that entities they no longer interact with can’t process their data. This user right is also known as “data erasure” and permits the user to ask that all personal data be erased and stop being processed, even by third parties. Controllers must provide a mechanism for users to request removal of data. At eLogic, Controllers can open a ticket when a request is received to delete personal data. The support team will then proceed to delete user profile, transcript records, license, certification, CEU credits, security roles, and purchase history.
Users may want to easily share their data with other Controllers. The GDPR gives users the right to transmit their personal data to another Controller. eSSential LMS’s ad hoc reporting makes it easy to extract personal user information and provide it to the user in a csv or xls file.
Privacy by Design
When systems are designed, it’s negligent to think of data privacy as a last-minute inclusion. Systems should be built from the ground up with privacy in mind at every step. This clause calls for inclusion of data protection in the initial design of systems. It asks the Controller to implement appropriate technical and organizational measures in a way that effectively protects users. eLogic Learning’s world-class data security is current with all recommended security standards. It also asks that Controllers only hold and process data that is absolutely necessary, and limit who has access to the data. This is a policy known as “data minimization”.
There’s a lot to navigate, so we have a few recommendations for clients hoping to maintain compliance:
- Consult your legal team to determine what language should be included for the consent notice.
- Only request minimally necessary data when users log into the LMS (since the data collected is determined by the Controller).
- Determine if you are required to appoint a Data Protection Officer.
- Inform users right away of any data breach.
Feel free to reach out to an eLogic Learning representative for more details or to ask about any other concerns you may have about GDPR.