LMS GDPR Compliance
GDPR stands for General Data Protection Regulation. It refers to all data protection for individuals within the European Union (EU). This law applies to all companies that store and process data from users located in the EU.
The law has been valid from May 25th, 2018, and has the purpose of setting parameters that guarantee users’ data safety and increases the rights of personal privacy in all electronic matters. It is important to know all the global laws that govern data management both for those who control and process the information.
Non-compliance to GDPR may attract fines of up to 20 million Euros or 4% of a company’s annual profit.
As an LMS user, if some of your learners are located in the EU, your learning activities could be impacted. Therefore, all the data that is stored in your LMS needs to be compliant with this regulation.
What is Personal Data (GDPR-Related)
Personal data is defined as any information that relates to identified or identifiable natural persons. These entities are called data subjects. An identifiable person is any individual who can be identified directly or indirectly using identifiers such as names, identification numbers, location data, or online identifiers.
They can also be identified in reference to one or more factors relating to the physical, physiological, mental, genetic, social, cultural, or economic identity of that person.
Handling Personal Data Under GDPR
Concerning GDPR, a data subject is an identified or identifiable natural person, to whom personal data are related.
- A ‘controller’ is a natural or legal person, public authority, agency, or other entity. The ‘controller’, alone or jointly with others, determines the means and purpose of processing the personal data.
- The ‘processor’ is a natural or legal person, public authority, agency, or other entity which processes data on behalf of the ‘controller.’
The ‘controller’ needs to have an appropriate Data Processing Agreement with any third party it shares data with. The third-party, in this case, is a processor. Controllers and processors are also required to implement various technical and organizational measures (TOMs), including the following:
- The encryption of personal data and pseudonymization.
- Ongoing confidentiality, integrity, resilience, and availability of processing systems and services.
- A process for regularly testing, assessing, and evaluating the effectiveness of TOMs.
- Restore the availability and access to personal data promptly during times of physical or technical incidents.
Adopting these measures must be evaluated and should consider contexts that take into account the costs of implementation, the state of the art; the nature, scope, context, and purposes of processing, as well as the likelihood and severity for the rights and freedoms of natural persons.
GDPR also involves the concepts of ‘Privacy by Design’ and ‘Privacy by Default.’ Privacy by design states that organizations need to consider the privacy of individuals at the initial design stages and throughout the development of a product or service that involves processing personal data.
Privacy by default, on the other hand, holds that when a service or system involves choices for an individual on how much personal data they can share with others, the default setting should be designed to be the most privacy-friendly.
In addition, controllers must report any breaches of personal data to the respective supervisory authorities within 72 hours. If there is a high risk to the rights and freedoms of the data subjects, they must also notify the data subjects.
Individual Rights per GDPR
The controller must ensure that the data subject has granted their consent. Data subjects can’t be coerced to consent, or be unaware that they are consenting to any party processing their personal data.
GDPR is an expansion of the 1995 EU Data Protection Directive and enhances the standards for disclosures when requesting consent, which must be ‘freely-given, informed and unambiguous.’
The language used must also be ‘clear and plain’ and is ‘clearly distinguishable from other matters.’ Also, data controllers are required to provide evidence that their processes are compliant and followed in every case where data subjects are requested for their information.
The rights per GDPR are discussed below.
The right of access: Data subjects have the right to access their personal data and other supplementary information. They must also be aware of and verify the legality of the processing.
The right to restrict processing: This allows individuals to request the controller to restrict the processing of their data when some conditions apply.
The right to rectification: The data subject has the authority to request the rectification of inaccurate personal data that concerns them. The individual also has the right to have incomplete personal data completed, including by way of availing a supplementary statement.
The right to object: This allows the data subject to object to the processing of their personal data based on the performance of a task in the public interest, direct marketing, purposes of scientific and historical research and statistics, exercise of official authority, and other legitimate interests.
The right to data portability: This allows the data subject to access and reuse their personal data for their purposes across varying services. They are also permitted to copy, move, or transfer personal data securely and without hindrance to usability, from one IT environment to another.
The right to erasure: This is also referred to as the ‘right to be forgotten.’ It is a principle that defines how an individual can request for their personal data to be deleted or removed. This happens when there is no compelling reason for a business to continue processing that information.
The right not to be subject to automated individual decision-making: Such decisions include those that result in legal or significant effects. This right allows the data subject to prohibit any processing activity that is wholly automated and leads to decisions that significantly impact individuals. Such processing can only be allowed if it can be justified based on one out of three bases spelled out as exceptions under Article 22(2), which talks about ‘the performance of a contract, authorized under law, or explicit consent.’