As of May 25th, 2018, new European Union laws for personal data protection, the General Data Protection Regulation (GDPR) will be enforced, marking the largest and arguably most important change to EU personal data laws in the last two decades. Mastering GDPR compliance for your eLearning solution will ensure the success and validity of your LMS platform use under these new laws and into the future.
What Is GDPR Compliance?
The European Union’s General Data Protection Regulation (GDPR) represents a monumental shift in the regulation and protection of personal data privacy. According to the EU GDPR website, the GDPR “replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
The laws as they are explained in this post were approved and officially adopted by the European Union Parliament in April of 2016.
Why Was GDPR Compliance Implemented?
The aim of the GDPR is to protect EU citizens from personal data breaches and to respect data privacy in a global society that is increasingly dependent on data. The shift to these newly adopted laws signals the realization that existing data laws outlined in 1995 are largely outdated and are incapable of providing appropriate protection.
What Does GDPR Compliance Mean for eLearning and LMS Platforms?
LMS platforms and eLearning systems are able to function primarily due to their ability to report, process, and analyze data submitted by administrators and site users. The updated GDPR compliance regulations affect these systems by holding them accountable to various changes and updates to data protection legislation.
Totara Learning Director of Product Management, Iain Napier, says: “Working closely with our Totara Partners across the EU, we have taken a proactive approach to supporting the rights mandated by the GDPR within the Totara Learn 11 release ahead of the regulation coming into effect in May. Organizations running our software will have the flexibility to control notifications to users about how their data will be used, give users access to the data held about them and manage the scenarios where an organization no longer needs to hold personal data.”
Totara Learn 11 is a special interim release designed to support new GDPR compliance laws for learning management platforms, making it easy for users to understand who will have access to their personal and private information, what the data will be used for, and will be able to provide consent to site policies regarding use of their personal data.
Under GDPR, the new Totara update needed to generate accurate and complete copies of records in readable human and electronic formats to allow for applicable inspection, copying, and review. Totara Learn 11 addressed this compliance issue by providing extensive reporting capabilities to view, filter, and export data to a number of usable formats.
Who Does it Affect?
GDPR compliance laws will not only affect all organizations located within European Union borders but also organizations that are located elsewhere in the world that offer goods and/or services that monitor the behaviour of EU subjects.
GDPR compliance affects all companies, businesses, and groups that hold, process, and analyze the personal data of EU subjects, regardless of the whereabouts or headquarters of the company.
What Are the Repercussions?
Organizations that do not adhere to GDPR compliance rules may be fined up to 4% of total annual global turnover for breaching GDPR or €20 Million, or $31,857,249.79 CAD. This represents the maximum fine that may be imposed for those found to violate the legislation.
The systems fines are tiered, meaning that an organization may be fined 2% for not having their data records in good working order, not notifying the supervising authority and data subject about a data breach, or by not conducting impact assessments. It is important to note that these rules apply to both controllers and processors -- meaning cloud sharing and storage will not be exempt from GDPR enforcement.
Processors are defined as an entity that processes personal data on behalf of a controller, while a Controller represents an entity that determines the purpose, and conditions under which personal data may be processed. eLearning system data security practices under GDPR should cover:
- Data collection & purpose limitation – GDPR will require companies to ensure they are entitled to collect the information they request from individuals and use that data for limited purposes.
- Consent – Companies need to obtain explicit consent from customers and employees for data acquisition and processing.
- Data breach notifications – GDPR dictates that breach notifications become mandatory where a data breach is likely to “result in a risk for the rights and freedoms of individuals.”
- Privacy by Design – Article 23 of the GDPR calls for controllers to only store and process data required for the completion of duties; this means minimizing data accumulation. Controllers also are required to limit the access to personal data to processors.
- Rights of Individuals (Right to Access, Right to Rectification, Right to Restrict Processing, Right to Object, Right to Erasure, Right to be Forgotten and Right to Data Portability) – for example, part of the expanded rights of data subjects outlined by the GDPR is their right to obtain from the data controller confirmation as to whether or not personal data concerning them are being processed, where and for what purpose.
A data protection risk assessment should also be conducted to ensure your eLearning solution can prioritize gaps in its use of personal and private data.
eLearning solutions and LMS systems that embrace and support GDPR compliance not only makes it easy for site administrators to publish and update multiple site policies and track when users agree to new policies, but GDPR compliance also ensures that users feel comfortable and confident that their data will only be collected, used, and accessed by groups that have their permission, as well as respect and adhere to new legislation.