The EU data privacy protection regulation's deadline is fast approaching and eLearning providers are scrambling to get their platforms ready to meet the new requirements. Is the personal data of your employees, partners, and resellers in safe hands?
The goal of this blog post is to briefly explain what the General Data Protection Regulation (GDPR) is, and what it means to you and your business.
When selecting a Learning Management System provider one of the key factors to consider is whether the supplier guarantees data privacy and protection against data loss. More specifically, are they compliant with the new General Data Protection Regulation (GDPR)?
GDPR will take effect starting May 25, 2018. Thus far, the regulation document consists of more than 200 pages of complex legal text. For your convenience, we’ve summarized the main definitions, as well as presented the key challenges that arise from it and have translated those into practical steps for implementation.
What’s more, this guide will help you properly assess the risks your company could face if any of your SaaS suppliers is hit by a private data security breach, and design and implement an action plan to mitigate those risks.
What is GDPR?
The new General Data Protection Regulation (‘GDPR’) regulates the processing by an individual, a company or an organization of personal data relating to individuals in the EU. Its aim is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world. GDPR is the most important change in data privacy regulations in 20 years which goal is to significantly increase the regulatory requirements for customer data protection. The GDPR focuses on the design of data protection processes and the organizational approach to data protection.
The key business aspects GDPR will impact are:
- Expanded territorial scope: GPDR makes it very clear - it applies to all companies processing personal data in the EU, regardless of whether the processing takes place in the EU or not, i.e. regardless of the company’s location. In short, selecting an LMS vendor overseas won’t help you stay out of the GDPR application perimeter.
- Penalties: Failure to comply with the new data protection rules can result in sanctions from the EU Data Protection Authorities and an organization in breach can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). It is important to note that these rules apply to both controllers and processors (see below for more on these two terms) - meaning SaaS LMS solutions will not be exempt from enforcing GDPR. To make things worse, adopting a SaaS plan even puts you at a greater risk as the data protection of your employees, partners and resellers is all in the hands or a 3rd party LMS supplier.
- Consent: The conditions to receive explicit consent from the software users are strengthened and the consent must be clear and distinguishable, provided in an intelligible and easily accessible form, using clear and plain language.
What is considered personal data by GDPR?
This is any piece of information related to a person or ‘Data Subject’ that can be used to directly or indirectly identify the person. GDPR defines personal data fairly broadly - it can be anything from a name, a photo, an email address, bank details, posts on social media, medical information, or an IP address.
What is “data processor” and “data controller”?
A controller is the entity that determines the purposes, conditions, and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
What is DPO (Data Protection Officer)?
For the time being, controllers are required to notify their data processing activities with local DPAs (Data Protection Act), which can be a bureaucratic nightmare with most Member States having different notification requirements. Instead, under the GDPR, there will be internal record keeping requirements and DPO appointment will be mandatory for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offenses.
Your company is impacted by GDPR if:
- It operates within the EU
- It monitors and collects data of individuals (customers & employees) residing in the EU (not just EU citizens!)
- It offers goods or services
You can hardly find a company delivering services or products in the EU that will not be impacted by the GDPR.
Your approach to GDPR compliance should be three-pronged, taking into account the legal, operational and technological perspectives. It will broadly impact people, processes, and technology used in your company and therefore you have to include all company stakeholders to define how GDPR applies to your organization as a whole. Only a comprehensive assessment undertaken with representatives from all teams will give you a solid understanding of your company data flows and will help you map out your entire business data lifecycle.
The analysis of your current data security practices should cover the following areas:
- Data collection and data purpose limitation – is your company entitled to collect the information it requests from individuals and does it use the information only for those limited purposes?
- Consent – does your company obtain an explicit consent from customers and employees alike for its data processing activities?
- Data breach notification readiness – is your company ready to handle data breaches? Under the GDPR, breach notifications become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”.
- Privacy by design – Article 23 of the GDPR calls for controllers to store and process only the data absolutely necessary for the completion of their duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing.
- Individual rights (Right to Access, Right to Rectification, Right to Restrict Processing, Right to Object, Right to Erasure, Right to be Forgotten and Right to Data Portability) – for example, part of the expanded rights of data subjects outlined by the GDPR is their right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.
After you have done your data inventory (which might include visual charts of all data flows), you should be ready to conduct a data protection risk level assessment for each functional area in order to prioritize the gaps that need to be addressed first.
The next step should be to develop and implement a compliance action plan based on your data protection assessment. As we already mentioned, this plan should contain legal, process and technical perspectives.
How is Melon Learning protecting your personal data?
There is no lack of consultants and industry experts warning companies about GDPR and offering their services to help organizations get on a path to compliance. It seems as if the more experts talk and write about what GDPR means, the greater confusion and lack of clarity there is on the subject. While confusion still reigns, a lot of companies leverage the hot topic of GDPR as a marketing tool trying to gain visibility and traction. SaaS vendors boldly claim GDPR compliance yet their customers don’t even have a means to confirm if this is true at this moment.
If in doubt, a sure-fire way to ensure your employee and customer personal data is protected is by choosing a vendor that offers a self-hosted option to deploy software.
Melon Learning enables users to deploy our learning management system locally and store data in your privately controlled centre. This way you can avoid having 3rd party organizations handle private data and minimize the risk of security breaches.
Give Melon Learning a try. Get started with our full-featured live demo.