Everything You Need To Know About GDPR Compliance For Your LMS

HOW WILL GDPR AFFECT MY LMS?

1. THE RIGHT OF ACCESS
Alex has been taking a health and safety course on your LMS at your organization, Everglade Enterprises. They have been with the organization for five years, and want to know what data you hold about them. Under GDPR, the right of access means you must give Alex all of the information you hold about them, including training records, performance evaluations, management feedback and appraisal comments.

2. THE RIGHT TO RECTIFICATION
If Alex requests their data and notices that something is inaccurate or incomplete, they have the right to have this rectified within the system. For instance, if they can prove that they completed a course that is not showing up on the system, this must be updated accurately. If you have shared this data with a third party, you must also inform them of the rectification where possible.

3. THE RIGHT TO ERASURE
Alex has the right to request that all of their data is deleted from your system. However, not every request for erasure must automatically be complied with. For instance, Alex may request that their data is deleted if the data is no longer necessary for its original purpose and this should generally be granted, but a request for the erasure of data which is legally required, such as a record of compliance training, does not have to be granted.

4. THE RIGHT TO RESTRICTION OF PROCESSING
Under the right to restrict processing, your organization may store data, but not further process it. For instance, Alex may contest an assessment score stored in your LMS – in this case, you can keep this data stored in your system, but not process it further until the data has been either verified or amended.

5. THE RIGHT TO DATA PORTABILITY
This right means that if Alex wants to take the data they have given you and reuse it elsewhere, you must provide this data to them. This makes it easier for Alex to transfer their personal data between IT environments. For example, if Alex wants to access a third-party career planning website to analyze their current skills to date, they have the right to request the personal data you have stored about them at Everglade Enterprises for reuse in the other system. You must provide this data in a structured, commonly used and machine-readable format, such as a CSV file, which, ideally, could be exported automatically by your LMS.

6. THE RIGHT TO OBJECT
Perhaps signing up to your LMS automatically registers users for marketing emails, whether they opt in or not. Under GDPR, Alex can object to having their personal data used for direct marketing, profiling or processing for research and statistics. This right must be presented to Alex at the point of first communication and in your privacy notice, meaning you will need to add explicit mentions of any other reasons for collecting personal data on your LMS.

7. THE RIGHT NOT TO BE SUBJECT TO AUTOMATED INDIVIDUAL DECISION-MAKING RESULTING IN DECISIONS HAVING LEGAL OR SIGNIFICANT EFFECTS

Yes, it’s wordy and unlikely in a learning context but here is an extreme example for Alex. Let’s assume Alex has to keep their compliance training up-to-date as a condition of their employment. One year they fail to complete their compliance training on time and go overdue. An automated system in the organization terminates Alex’s employment with the organization. In this case Alex could challenge that decision and request human intervention in the decision as it has a significant effect on them. It’s highly likely the organization would be forced to change this process.