Recent Facebook and YouTube scandals have brought data privacy questions even more into the limelight than they were previously. Many companies are also scrambling to prepare for the General Data Protection Regulation (GDPR), the European Union’s new data protection law, which will go into effect on May 25, 2018. But what is GDPR, and what does it have to do with training?
The GDPR replaces the EU’s existing data protection regulation and was approved in 2016 to protect the data of EU citizens and residents. The most significant change it makes is that it applies to companies regardless of location, if they process any personally identifiable data of citizens or residents of the EU. “Personally identifiable data” is, basically, any data that someone could use to identify someone – including, name, email address, social security number, IP address or a combination of data, like first name, job title and employer. Companies not in compliance with GDPR by May 25 can be fined up to 4 percent of annual global turnover or €20 million, whichever is greater.
GDPR includes several individual rights, including the right to access and the right to be forgotten (companies must, upon request, erase all of an individual’s personal data from their systems). Additionally, organizations “whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data” must appoint a data protection officer (DPO) and follow certain internal recordkeeping requirements.
GDPR does provide for exceptions to be made in certain circumstances; for example, it will likely not require an employer to delete all of a current employee’s data, since that would make it impossible to effectively manage or train the employee.
Nick Howe, chief learning officer of Area9 Lyceum, notes that while GDPR arose out of consumer privacy concerns, due to its language, it also covers individuals as employees – including your organization’s internal learners as well as any customers or partners your company trains.
There are two types of organizations responsible for data privacy under GDPR: the “data controller,” which Howe describes as a company that owns the data (e.g., an employer), and the “data processor,” or a company that manages the data (e.g., an e-learning vendor). In some cases, a company will be both a data controller and a data processor (like Facebook).
How to Be Compliant
Eric Klotz, legal counsel at CallidusCloud, calls GDPR “the most significant EU-wide change to data protection laws in over 20 years.” Here’s what you need to know to make sure you’re compliant.
First, before May 25, audit your data. What data do you collect, where are they stored, who has access to them and what business purpose do they serve? Did users provide consent for you to collect and use their data? The answers to these questions will inform your compliance strategy.
The next step is to provide GDPR training to employees, with continuous reinforcement after the law takes effect. “Organization-wide, awareness-level privacy and information security training is a worthwhile and prudent exercise” regardless of whether the GDPR applies, points out Charlie Voelker, legal compliance solutions manager at Skillsoft. “But for those employees who have reason to come into contact with personal information, the GDPR makes essential strategic, job-specific training that combines a thorough review of the GDPR’s main provisions with the corporate policies and procedures that underlie the company’s standards for using data.”
Don’t “let the less obvious things fall through the cracks,” says Hannah Stewart, communications manager of Pro-Sapien Software. Do your European learners comment on articles in your e-learning platform? Make sure they know their rights under GDPR. Does your LMS use automated emails to send messages to training managers or instructors? Edit their content “to instead provide a link back to the system record that someone is being notified about, so that access to personal data can be controlled.” Daniele Baudone, chief information security officer at Docebo, notes that leaderboards, enterprise social media systems and other learning portals will be covered by GDPR as well.
Stewart adds that images and video – used increasingly in training – are protected under GDPR if an individual can be identified in them, and Baudone anticipates an increased use in stock photos, since employees have the right to have their photos removed from LMSs upon leaving the company.
Follow practices such as data encryption, so that if someone hacks your LMS, for example, he or she will still be unable to identify whose data is whose. Tokenization, Howe says, is also an option; here, you can use a “token” identifier instead of an email address or other personally identifiable data. Of course, you’ll still need to make sure that the combination of other fields are insufficient to identify the individual.
Make sure European learners know their GDPR rights; for example, it may be a good idea to add a message on your LMS login screen letting learners know they can request their data or ask to be forgotten. “Gaining unambiguous consent,” says Alexis Riley, a project manager at High Speed Training, “is an important element” of GDPR. Make sure individuals know why you are collecting their data, and if you plan on using them for a different purpose, get their explicit permission.
Personalized learning is becoming an important strategy, and Baudone says that “while GDPR will likely have little impact on your algorithm if it aggregates numbers outside of the identity of the person who generated them, one risk area is the data that’s combined with other data in a way that it may go beyond the consents given in an employee contract. For example, if the personalization establishes a ‘remedial’ learning path, it could not be used as evidence to deny anyone promotion or as part of a disciplinary procedure.” Of course, ensuring that personalized learning is not used in this way is a best practice regardless of GDPR.
If you’re outsourcing any of your training such that the vendor or vendors have access to any learner data, talk to them to make sure they are GDPR-compliant. “There is a requirement that the end-to-end ecosystem has to be compliant,” Howe says. “So it’s not just the vendor, it’s not just the L&D organization or the company. It’s the combination of those.”
Above all, know who your DPO is, and follow his or her advice. “Secure the buy-in of everyone in the company to the idea that the proper use of personal information is foundational to the organization’s operations,” Voelker adds. “Rather than viewing the GDPR as an impediment to the business, the law should be considered a roadmap for the legal and ethical use of personal information in furtherance of the company’s objectives.”
This article is provided for informational purposes and does not constitute legal or financial advice of any kind. If you have questions about issues related to the topics raised in this article, consult a qualified professional.