As of May 25th, 2018, new European Union laws for personal data protection, the General Data Protection Regulation (GDPR) will be enforced, marking the largest and arguably most important change to EU personal data laws in the last two decades. Mastering GDPR compliance for your eLearning solution will ensure the success and validity of your LMS platform use under these new laws and into the future.
The European Union’s General Data Protection Regulation (GDPR) represents a monumental shift in the regulation and protection of personal data privacy. According to the EU GDPR website, the GDPR “replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
The laws as they are explained in this post were approved and officially adopted by the European Union Parliament in April of 2016.
The aim of the GDPR is to protect EU citizens from personal data breaches and to respect data privacy in a global society that is increasingly dependent on data. The shift to these newly adopted laws signals the realization that existing data laws outlined in 1995 are largely outdated and are incapable of providing appropriate protection.
LMS platforms and eLearning systems are able to function primarily due to their ability to report, process, and analyze data submitted by administrators and site users. The updated GDPR compliance regulations affect these systems by holding them accountable to various changes and updates to data protection legislation.
Totara Learning Director of Product Management, Iain Napier, says: “Working closely with our Totara Partners across the EU, we have taken a proactive approach to supporting the rights mandated by the GDPR within the Totara Learn 11 release ahead of the regulation coming into effect in May. Organizations running our software will have the flexibility to control notifications to users about how their data will be used, give users access to the data held about them and manage the scenarios where an organization no longer needs to hold personal data.”
Totara Learn 11 is a special interim release designed to support new GDPR compliance laws for learning management platforms, making it easy for users to understand who will have access to their personal and private information, what the data will be used for, and will be able to provide consent to site policies regarding use of their personal data.
Under GDPR, the new Totara update needed to generate accurate and complete copies of records in readable human and electronic formats to allow for applicable inspection, copying, and review. Totara Learn 11 addressed this compliance issue by providing extensive reporting capabilities to view, filter, and export data to a number of usable formats.
GDPR compliance laws will not only affect all organizations located within European Union borders but also organizations that are located elsewhere in the world that offer goods and/or services that monitor the behaviour of EU subjects.
GDPR compliance affects all companies, businesses, and groups that hold, process, and analyze the personal data of EU subjects, regardless of the whereabouts or headquarters of the company.
Organizations that do not adhere to GDPR compliance rules may be fined up to 4% of total annual global turnover for breaching GDPR or €20 Million, or $31,857,249.79 CAD. This represents the maximum fine that may be imposed for those found to violate the legislation.
The systems fines are tiered, meaning that an organization may be fined 2% for not having their data records in good working order, not notifying the supervising authority and data subject about a data breach, or by not conducting impact assessments. It is important to note that these rules apply to both controllers and processors -- meaning cloud sharing and storage will not be exempt from GDPR enforcement.
Processors are defined as an entity that processes personal data on behalf of a controller, while a Controller represents an entity that determines the purpose, and conditions under which personal data may be processed. eLearning system data security practices under GDPR should cover:
A data protection risk assessment should also be conducted to ensure your eLearning solution can prioritize gaps in its use of personal and private data.
----
eLearning solutions and LMS systems that embrace and support GDPR compliance not only makes it easy for site administrators to publish and update multiple site policies and track when users agree to new policies, but GDPR compliance also ensures that users feel comfortable and confident that their data will only be collected, used, and accessed by groups that have their permission, as well as respect and adhere to new legislation.