The GDPR (General Data Protection Regulation) seeks to create a harmonized data protection law framework across the EU and aims to give back to data subjects control of their personal data, while imposing strict rules on those hosting and processing this data, anywhere in the world.
What is GDPR?
GDPR consists of a long list of regulations for the handling of consumer data. The goal of this new legislation is to help align existing data protection protocols all while increasing the levels of protection for individuals. It’s been in negotiation for over four years, and the actual regulations finally came into effect on May 25th, 2018.
All of the reforms are designed to help customers gain a greater level of control over their data while offering more transparency throughout the data collection and use process.
These new laws help to bring existing legislation up to par with the connected digital age we live in. Since data collection is such a normal and integral aspect of our lives both on a personal and business level it helps to set the standard for data-related laws moving forward.
Why is GDPR Happening?
GDPR is designed to enhance and harmonize data protection measures across EU member countries, including the UK. The regulation gives EU citizens ultimate control over their personal data and forces businesses to spell out, in plain language, why they’re collecting a user’s data and if it will be used to create profiles of their actions and habits. Consumers will also be given access to any data any company stores about them, have the ability to correct any inaccurate information and limit the use of decisions made by algorithms.
Does GDPR apply to my business?
GDPR applies not only to organizations that operate within the EU but also affects companies that undertake “real and effective” business activity there. Any business that conducts data processing that offers goods or service (by payment or for free) to EU citizens must comply with the requirements outlined in GDPR. The territorial scope of GDPR is far wider than the 1995 Directive as it also applies to non-EU businesses who market their products to EU citizens or monitor the behavior of people who live in the EU. Even if your company is based outside of the EU, but you control or process data from EU citizens, GDPR applies to you.
What is Personal Data (as defined by GDPR)
Personal data is any information that relates to an identified or identifiable natural person (data subject)
An identifiable natural person is an individual who can be identified directly or indirectly by reference to an identifier such as a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Handling personal data under GDPR
Under GDPR the Data subject is the identified or identifiable natural person, that is the individual, to whom personal data are related.
The Controller will need to have in place an appropriate Data Processing Agreement with any third party that it shares data with where that third party is a Processor.
CourseMill is a Learning Management System (LMS) designed to increase performance and learning engagement.
The purposes and means of the processing of personal data related to end-users of CourseMill are determined by CourseMill’s customers, which act as Controllers and must inform their end-users what’s going to be collected, and how and why that data will be used.
In this scenario, CourseMill plays the role of Processor by providing the use of the LMS platform. Moreover, CourseMill provides GDPR compliance mechanisms within its learning platform.
CONSENT FOR USE OF OR PROCESSING OF PERSONAL DATA
One of the most important requirements of GDPR is that companies must provide users with clear, easy-to-understand language of consent to collect and process data before collecting said data. The consent information cannot be lengthy or difficult to understand – it needs to be simple as well as distinguishable from other terms and conditions. Users must opt-in for companies to collect sensitive data, and it must be easy for them to opt out. However, for non-sensitive data, “unambiguous” consent suffices.
One of the most common ways that clients choose to obtain consent from users of their learning management system (LMS) is the End User License Agreement (EULA) feature. The EULA is presented to the user when they first create an account or login. The user must accept the EULA terms before moving forward and using the LMS. The client can put client-specific legal language in the EULA so that they can be sure to be compliant with the legal language that applies to that company, GDPR or otherwise.
RIGHT TO ACCESS
Users have a right to be informed about what personal data entities may have. The “right to access” portion of GDPR gives users the right to access their own data. They are permitted to ask what data is being processed and for a copy of the data. The Controller should provide this free of charge. Again, the EULA, dynamic content area, or client content page can be used to give users this access.
RIGHT TO BE FORGOTTEN
Users, especially when they are no longer using a system, may want to delete any personal data in order to ensure their data remains under their control, and so that entities they no longer interact with can’t process their data. This user right is also known as “data erasure” and permits the user to ask that all personal data be erased and stop being processed, even by third parties. Controllers must provide a mechanism for users to request removal of data. CourseMill provides Controllers with the means to remove user data via the Super Admin role. Additionally, Controllers can open a ticket with Trivantis for assistance when a request is received to delete personal data.
Users may want to easily share their data with other Controllers. The GDPR gives users the right to transmit their personal data to another Controller.
A data breach is a very serious event that can put user data at risk of violation. A breach notification is now required within 72 hours of a data breach if it’s likely to “result in a risk for the rights and freedoms of individuals." Data processors are required to notify controllers of a breach. In e-learning, this means LMS vendors must notify their clients. Trivantis will notify all clients impacted by a data breach via email as soon as we are aware of it.