GDPR, or the European Union’s “General Data Protection Regulation,” goes fully into effect on May 25, 2018. While the law is aimed at protecting the privacy of citizens of the European Union, don’t imagine it won’t affect your efforts, even if you or your company aren’t located in the EU. The GDPR impact on eLearning will likely be felt by companies around the globe.
The law officially went into effect in mid-2016, with two years for companies to ensure they could be compliant with its requirements. Those two years are up.
Let’s examine how eLearning professionals might be affected—but first, a disclaimer: I am not a lawyer, and my observations are based on my own research and analysis. Nothing in this article constitutes legal advice. GDPR raises real financial and personal implications that must be seriously considered. This article aims to raise awareness and suggest some areas where these regulations apply to the eLearning industry. I recommend seeking legal counsel on the application and complexities of GDPR compliance as it applies to your organization.
The objective of GDPR is to protect the privacy of individuals and their personal data. It will apply to the:
- Consent to collect data
- Collection of data
- Use of data
- Protection of data
- Destruction of data
- Portability of data
Initial compliance steps
If your organization uses third-party suppliers, such as an LMS or LRS platforms, be sure to check their documentation regarding compliance readiness. GDPR’s portability and destruction requirements make it essential to document how you will work with vendors to comply with requests for transferring or removing data, as well as handling any reports (printed or digital) or other data you may have on file, including of former employees, candidates, and interns.
If your organization has a data protection officer—which may be required if the company does business in the EU— schedule time with her/him to verify what processes are already in place to ensure that your eLearning software and processes are compliant. Build that relationship now, so that if a breach of security were to occur or a request for data records were made, you could meet the 72 hour (breach) to one month (data destruction/ port) deadlines set in GDPR. In addition, be sure to understand what your company has in place, especially around destruction of records, as they may have exceptions or limitations based on other business needs, other laws and requirements, pending litigation, or established data destruction policies.
Data portability and the LMS
An area of GDPR compliance with significant eLearning impact is data portability. Chapter 3 Article 20 of GDPR states:
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance.
Under the definitions provided in the regulation, a “controller” can be a person, agency, or public authority that determines how and why personal data is processed. The use case that comes immediately to mind is records of courses taken in an LMS, any certifications received, as well as the records of any external courses or learning objects entered into the LMS by the employee her/himself. How would your company comply with such portability requests? What protections might be needed against disclosure of proprietary business information or trade secrets?
What constitutes personal data
While not exclusive to digital platforms, both the rise in SaaS solutions, such as a cloud-based LMS or Office 365, and the use of Google Analytics within the LMS give the impact of GDPR special relevancy for the eLearning community. To be clear, any personal data collected by a company or technology solution, in the cloud or otherwise, is covered by the regulation.
Chapter 1 Article 4 of the GDPR states:
“Personal data” means any information relating to ... an identifiable natural person ... who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
As Peter Galdies, founder and director of DQM GRC writes in his summary of the GDPR, “In many cases, online identifiers, including IP address, cookies, and so forth will now be regarded as personal data if they can be (or are capable of being) without undue effort linked back to the data subject.”
Whether the person is an employee or a customer is irrelevant: “To be clear there is no distinction between personal data about individuals in their private, public, or work roles—the person is the person.”
As an industry, where we are investing in xAPI, learning management systems with automated workflows, and talent management systems that help predict and promote courses and career paths, we need to be cognizant of these rules and what data we can request, collect and/or use. We need to think about what features are needed and what can be turned off, if not necessary—and whether this “turning off” truly prevents the data from being captured or merely from being reviewed. For example, many companies use single sign on (SSO) features to allow employees to access multiple programs with a single logon. Might this result in organizations capturing data that is subject to the GDPR?
The GDPR stipulates that “only personal data which are necessary for each specific purpose” should be collected, and notes in Section 2 that this applies to:
- the amount of personal data collected,
- the extent of their use,
- the period of their storage, and
- their accessibility.
Chapter 4 demands “Data Protection by Design and by Default.” The regulation is specific in mandating that, “by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”
Ensuring compliance is not simple. The issues that could arise from these requirements are myriad, including:
- Managing permissions and reporting down to the level of individual employees
- Managing compliance during mergers or acquisitions where the companies have different rules and processes
- Uniform compliance across multiple LMS or LRS platforms
- Ensuring compliance in departments or branches that handle training internally, rather than through a corporate L&D team
Adaptive eLearning and profiling
Profiling, defined as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements,” [italics added] is governed by GDPR, as a natural consequence of the personal data restrictions.
Galdies points out, “Individuals have the right not to be subject to the results of automated decision making, including profiling, which produces legal effects on him/her or otherwise significantly affects them. So, individuals can opt out of profiling. Automated decision making will be legal where individuals have explicitly consented to it, or if profiling is necessary under a contract between an organization and an individual.” [emphasis in original]
When we talk about personalization in eLearning, for instance when implementing adaptive learning, this restriction clearly applies. Note the requirement for explicit consent. Be sure to discuss with the data protection officer and legal team whether the implementation of the LMS, xAPI, self-directed learning, adaptive learning, career pathing, etc. complies—and make any UI adjustments needed to bring an LMS or other solution into compliance.
But this doesn’t apply to us … does it?
Many eLearning professionals and even executives of US companies may assume that they are not affected by the GDPR. But can you say with 100 percent certainty that none of your employees or extended enterprise clients are EU citizens or dual citizens? Or that the company won’t hire someone in the future who is an EU citizen?
While the law applies only to EU residents, people travel, new people are hired, and companies open branch offices in the EU. In a global economy, business decisions can affect compliance, and it is likely that the learning organization would not be among the first to know. If your company were to expand into the EU, compliance would be required from day one.
The law was passed in 2016; the transition period ends on May 25, 2018. With the fallout from Cambridge Analytica’s improper use of Facebook data, it is likely that more stringent requirements will be implemented in the US as well. Learning organizations collect and use a lot of personal data on learners. Failing to comply can have a significant financial impact on your company: Fines for violations range from 2 percent to 4 percent of the gross revenues of the whole business—per violation.
Suggested next steps
Where do you begin?
- First, meet with your data protection officer and/or legal team. Find out what assessment they have done, what policies and procedures are in place, and what your team needs to adjust to ensure compliance.
- If you are using Google Analytics, check your settings to ensure that users have to affirmatively opt in to have data collected. Bring IT in, if necessary, or coordinate with your LMS success manager on this. Make sure your privacy policy clearly states what you are collecting and why. The challenging aspect will be the data deletion requirements. Google has announced that it “is committed to complying” and has an extensive compliance website, yet, as of publication of this article, has not provided details or instructions for submitting deletion requests.
- Update the UI on all systems to ensure explicit awareness and consent to any data tracking, and include clear statements about what you are tracking, why, who will have access, what you will do with the data, and how users can request destruction or copies of the data. Keep a clear record of learners’ affirmative assent to data collection.
- Regularly review, e.g., twice per year, who has access to data collected. Evaluate whether you still have a need for the data; stop collecting any data that is not needed. Document everything.
- Do not assume that people throughout the organization have any awareness of what you are doing, how, or why. Be proactive. Be intentional. Be transparent.
May 25 is fast approaching; now is the time to assess the GDPR impact on eLearning at your company—and ensure that your company’s eLearning is in compliance.