-6 min read-
Online privacy concerns have become increasingly important in the last few years. This year, especially, has brought privacy to the forefront of public discussion. A host of state and corporate initiatives have been launched to address the issue – chief among them, the European Union’s “General Data Protection Regulation” (GDPR), which comes into full force on May 25th, 2018.
The new regulation aims to increase the transparency and accountability of companies processing personal data, to foster a “privacy culture” on the Internet, and to clarify and protect the privacy of “natural persons” or, in other words, regular users.
In this post, we’re going to examine the GDPR’s set of laws and guidelines, and share some tips on how to use ExxTend Learning (EL) to ensure that your training program is GDPR compliant.
Let’s start with the two most important questions.
Who Should Care and Why?
Any company offering services to EU citizens or tracking EU citizens’ behavior (through online profiles, cookies, and other such means) is required to comply with the GDPR, regardless of whether or not it’s an EU-based company. Non-compliance can result in fines of up to $20 million or 4% of its annual turnover.
Here is some basic terminology you need to know:
- Processing: Practically anything a company might do with personal data (collection, organization, storage, adaptation, transmission, sharing, and so on).
If a company handles even a portion of an EU citizen’s data in any way, that qualifies as Processing.
- Data Controller: Companies that collect, store, or manage individuals’ data for some particular purpose (and that determine the means by which this collection takes place).
Your bank, for example, is a Data Controller. It collects your data to provide you with banking services. In general, a Business X acts as a Data Controller through its collection of the data of its employees or customers.
- Data Processor: A company that stores, or processes user data on behalf of other companies (data controllers).
When company X uses ExxTend Learning to train its employees, it acts as a Data Controller, and ExxTend Learning is the Data Processor.
In other words, Data Controllers are companies that have a primary purpose to collect data, and Data Processors are companies that offer data processing, storage, etc. as a service to the first. The Data Processor cannot use the data it was trusted with for any other purpose than what the Data Controller contracted its services for.
So far so good! Just a few more things…
- Data Subject: A natural person — such as an ExxTend Learning User, Instructor, or Admin.
- Personal Data: Any information relating to a Data Subject such as name, email, online identifier, and so on.
- Consent: An informed and clear indication by a Data Subject that they’re okay with the specific collection and processing of their personal data. (e.g., deliberately clicking on an approval button after having read a detailed description of what your service provider is going to do with your data).
Alright, moving on…
Does the GDPR mean that you’re required to get an EU-hosted LMS?
No, not at all. The new regulation is not meant to hamper international Cloud service use by EU citizens — just to increase its privacy, security, and accountability. To that end, EU-businesses are allowed to use LMS platforms hosted in any country, as long as said country (and said platforms) guarantee an EU-approved level of protection.
Is ExxTend Learning GDPR compliant?
OverNite Software, creator of the ExxTend Learning LMS, is fully aware of the GDPR requirements and restrictions and is compliant with the regulation.
The purposes and means of the processing of personal data related to end-users of the ExxTend Learning platform are determined by OverNite’s customers, who act as Data Controllers and must inform their end-users what is going to be collected, and how and why that data will be used.
In this scenario, OverNite plays the role of Data Processor by providing the use of the ExxTend Learning LMS platform (and tools within the platform) for GDPR compliance.
ExxTend Learning & GDPR Compliance
To be compliant with the GDPR in ExxTend Learning, the following major requirements should be met:
- Consent Management – Allow Administrators to ask for consent (employees choice). (GDPR CH.2.7.1)
- Data Info Reporting & Correction – Allowormationemployees to have easy access to all of their information and be able to modify their personal information when needed. (GDPR CH.3.2.1)
- Data Retention & Purging (Erasure) – Allow Administrators to control how long data is available. (GDPR CH 3.17.1c)
- Lawful & Limited “Required” Collection – Only require the essential information to create a user and an explanation of why the company requires this information to be entered. (GDPR CH 3.23.1)
- Privacy by Design (Data Blocking) – Allow data to be obtained only by Admins that need it and to obtain only the data they need. (GDPR CH 4.25.1)
ExxTend Learning’s Solutions for Compliance
The following ExxTend Learning features will assist you with GDPR compliance:
- Consent Management
Admins can create a course and assign it to their EU employees (due immediately). The course explains what data is being collected and why. A final test question allows the employee to give consent for the company to do so. At any time, employees can send an email requesting a withdrawal of their consent (GDPR CH 2.7.3).
- Data Info Reporting
Employees can run a My Training History Report to obtain their training history records. Users/Admins can go to My Profile in Classic Mode to view/edit/print their stored personal information. Additionally, Admins must ensure the “Enable Profile Editor” option has been selected in the User Settings of the company Configuration.
- Data Retention & Purging
A company Admin can request OverNite to purge old data from year XXXX and prior.
- Lawful & Limited “Required” Collection
ExxTend Learning currently only requires an Admin/User to enter a LoginID, Password, Status, First & Last Name, Title, and Country. No other data is required to set up a user account (employee).
- Privacy by Design (Data Blocking)
To go along with Limited Required Collection, Privacy by Design limits employee or Administrator access to data regarding other employees or individuals using our LMS. We limit access on a “group permission” basis, meaning whichever group an Administrator is in, they can only see employee data for that group and below. To further limit this, the only time an Administrator can view “special sensitive data” is when they have rights to the “User Manager”.