Over the past decade, just as the management and interpretation of data has innovated across a variety of applications and platforms, so too has the concern on protecting the data users share.
In light of this trend, corporations considering a Learning Management System for their employees are paying more attention to this legislation than ever before.
In six months from the time of publishing this paper, the updated European Union’s General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) will come into effect. [i]
Businesses must take action now or face being unprepared for this new legislation.The primary aims of the GDPR are to give increasing power to citizens over the storage and use of their personal data, and to unify the regulatory responsibilities of international businesses that process European Union (EU) personal data. [ii]
However, for Learning Management Systems and other data-driven platforms, businesses from all industries are not all aware whether their current providers comply — where in certain cases -- a failure to do so could mean fines of up to 4% of annual global revenue or €20m, whichever is greater.[iii]
Facts to KnowAs a business considering any LMS provider, it may be a good idea to ensure you are fully aware of these below requirements in light of this new legislation.
1. The 25th May 2018 is fast approachingThe GDPR was adopted on 27 April 2016 and following a two-year transition period and becomes enforceable on the 25th of May 2018.
2. Regardless of your industry, GDPR applies to your business tooAny company that “controls” or “processes” personal data of EU citizens (or residents) must abide by the new regulation, regardless of where that company is located.[iv]
The GDPR does not require the passing of national legislation and is binding regardless of the company’s location[v].
3. The definition of ‘personal data’ is now broadened furtherAny data that can be used to identify an individual (including genetic, mental, cultural, economic or social data) is now considered personal data.[vi]
4. Do procedures prove clear consent?Organisations need to prove clear and valid consent was obtained when personal data was collected.
5. Data protection officer appointed?A data protection officer (DPO) must be appointed if: (a) the processing is carried out by a public body (excluding courts acting in their judicial capacity), or a company’s core activities include (b) the “regular and systematic monitoring of data subjects on a large scale” or © “processing on a large scale of special categories of data”.[vii]
6. Privacy impact assessments (PIA): now a mandatory requirementTo minimise risks to data subjects, data controllers must conduct PIAs (where privacy risks are high) and work with their DPOs to ensure compliance.[viii]
7. Data breaches must now be notified within 72 hoursAny data breach must be reported to the Supervisory Authority within 72 hours of becoming aware of the breach.[ix]
8. The Data minimisation principleCollected personal data must be adequate and relevant, but limited only to what is necessary.[x]
9. Deleting data upon requestWhile personal data should never be retained for longer than necessary in relation to the purpose of its collection, the GDPR highlights the “right to be forgotten”. That is, subjects can have their personal data erased, sometimes prior to the end of the maximum retention period.[xi] Processes must be in place to handle such data deletion requests.
10. Expanded liabilityData controllers are no longer solely liable for personal data regulations. The GDPR expands liability to all organisations that process personal data, including service providers, who will also need to comply with GDPR.
11. Privacy by designThe GDPR privacy principles must be integrated by design into the core of systems.
For example, all future software must be capable of complete data erasure.
12. All organisations; one supervisory bodyOrganisational processes will become streamlined to work with just one supervisory body rather than one for each EU state. Conversely, any EU data protection authority can take action against any organisation regardless of its location.
Immediate Action Points(Adapted from the Information Commissioner’s Office)[xii]
When it comes to ensuring compliance of any data management system, internal or external to your organisation, the small time taken to implement these below actions may represent a significant saving in the costs and consequences that an LMS provider not yet compliant with these changes may produce.
1. Spread awareness of GDPR in your organisation.
2. Information audit: What personal data do you have? Where did it come from? Who do you share it with?
3. Update current privacy notices and communications.
4. Procedural audit: How would you delete personal data?
5. Update procedures to handle requests within the new timescales.
6. Identify the lawful GDPR basis for processing personal data.
7. Update consent procedures to meet GDPR guidelines.
8. Consider age verification: are there underage subjects requiring guardian consent?
9. Plan for data breaches.
10. Perform data protection impact assessments.
11. Begin implementing data protection by design.
12. Designate a data protection officer (DPO).
13. Identify your primary data protection supervisory authority.
Overall, the upcoming changes to this GDPR legislation not only represent a set facts and actions that your company will need to implement to ensure full compliance with the law at the level of the organisation, but also a shift in perspective at the industry-level in how data should be managed and represented by the modern LMS provider.
Transparent representation means rich and employee-specific presentation, which only Qintil as the leading LMS platform is able to provide.