of organizations worldwide are concerned that a failure to adhere to GDPR could have a major negative impact on their business. (Veritas, News Release 2017/04/25)
From the 25th May 2018, all companies operating in the EU will need to ensure that they are compliant with the new General Data Protection Regulation, or GDPR, a set of rules put in place to protect users’ personal data. Wherever you are based in the world, it is still important to know about GDPR, as this affects companies who conduct any business in the EU, not just those based in the region.
The new regulation will affect the websites and platforms we use every day, social media, online shopping sites, forums and newsletters, as well as our learning platforms. With 79% of organizations using a learning management system (Towards Maturity Benchmark Report Jan 2018), it’s vital that companies act sooner rather than later to ensure they are able to operate in compliance with GDPR.
The penalties imposed for failing to comply with GDPR can be up to €20 million or 4% of annual worldwide turnover, whichever is greater3. It is crucial, then, that your LMS allows you to manage this significant business risk.
GDPR can seem complicated at first, so we have broken it down into the type of scenario that real organizations might encounter to put the new data protection rights into context. This is a must-read for anyone working in HR or L&D for an organization affected by GDPR, and will show why it’s so important to select an LMS that supports GDPR compliance.
The significant financial penalties should be a big enough motivator for most organizations operating in the EU. With massive fines for businesses found in breach of GDPR, this has the potential to put many companies out of business, making it absolutely essential that you comply with the new data protection rules. Cyber-attacks can cost businesses over $2.35 million per incident,5 and with the number and severity of data breaches increasing all the time, this is only going to become a bigger risk for organizations worldwide. Equally significant is the reputational damage that businesses will suffer following a data breach, as users choose to withdraw their custom from organizations that put their personal data at risk. This can be catastrophic for a company, and it can take years to recover their reputation if they can manage this at all.
1. THE RIGHT OF ACCESS
Alex has been taking a health and safety course on your LMS at your organization, Everglade Enterprises. They have been with the organization for five years, and want to know what data you hold about them. Under GDPR, the right of access means you must give Alex all of the information you hold about them, including training records, performance evaluations, management feedback and appraisal comments.
2. THE RIGHT TO RECTIFICATION
If Alex requests their data and notices that something is inaccurate or incomplete, they have the right to have this rectified within the system. For instance, if they can prove that they completed a course that is not showing up on the system, this must be updated accurately. If you have shared this data with a third party, you must also inform them of the rectification where possible.
3. THE RIGHT TO ERASURE
Alex has the right to request that all of their data is deleted from your system. However, not every request for erasure must automatically be complied with. For instance, Alex may request that their data is deleted if the data is no longer necessary for its original purpose and this should generally be granted, but a request for the erasure of data which is legally required, such as a record of compliance training, does not have to be granted.
4. THE RIGHT TO RESTRICTION OF PROCESSING
Under the right to restrict processing, your organization may store data, but not further process it. For instance, Alex may contest an assessment score stored in your LMS – in this case, you can keep this data stored in your system, but not process it further until the data has been either verified or amended.
5. THE RIGHT TO DATA PORTABILITY
This right means that if Alex wants to take the data they have given you and reuse it elsewhere, you must provide this data to them. This makes it easier for Alex to transfer their personal data between IT environments. For example, if Alex wants to access a third-party career planning website to analyze their current skills to date, they have the right to request the personal data you have stored about them at Everglade Enterprises for reuse in the other system. You must provide this data in a structured, commonly used and machine-readable format, such as a CSV file, which, ideally, could be exported automatically by your LMS.
6. THE RIGHT TO OBJECT
Perhaps signing up to your LMS automatically registers users for marketing emails, whether they opt in or not. Under GDPR, Alex can object to having their personal data used for direct marketing, profiling or processing for research and statistics. This right must be presented to Alex at the point of first communication and in your privacy notice, meaning you will need to add explicit mentions of any other reasons for collecting personal data on your LMS.
7. THE RIGHT NOT TO BE SUBJECT TO AUTOMATED INDIVIDUAL DECISION-MAKING RESULTING IN DECISIONS HAVING LEGAL OR SIGNIFICANT EFFECTS
Yes, it’s wordy and unlikely in a learning context but here is an extreme example for Alex. Let’s assume Alex has to keep their compliance training up-to-date as a condition of their employment. One year they fail to complete their compliance training on time and go overdue. An automated system in the organization terminates Alex’s employment with the organization. In this case Alex could challenge that decision and request human intervention in the decision as it has a significant effect on them. It’s highly likely the organization would be forced to change this process.