Posted by Jessica D'Apice on 31 May 2018 02:06 PM
On May 25th, 2018 the European Union’s General Data Protection Regulation (GDPR) went into effect. If you are located within or provide service or store data for any users located within the European Union, then you are subject to the GDPR requirements. Below, we’ll review some key points of the GDPR that you need to know and how our software can help you comply.
Note that the GDPR is not technical in nature – it does not regulate firewalls, encryption, security, or other technical aspects of our software or networks, but rather organizational, defining requirements for disclosure and transparency that you (the “controller” of the users’ data) must communicate to your users about what data you collect from them and how you will (or will not) use it. In short, GDPR is a regulation for you; while we provide the functionality within the software that will allow you to meet the GDPR requirements related to those areas that the software deals with.
While all the following features are available or soon to be within our software, this is not legal advice and we cannot answer questions regarding GDPR and your business; your own legal counsel is the only appropriate source for advice for your specific situation regarding your compliance with GDPR.
Consent to Process Users’ Data
Under Article 6, you need a “lawful basis” to process a user’s data. Lawful basis can be established by receiving the user’s consent, therefore you should use the “User Agreement” feature. In accordance with GDPR, describe what data you’re collecting from the user and what you plan to do with it along with the other GDPR disclosures that may be required here (such as contact information for data deletion or corrections). It would be best to consult with your legal counsel to review the GDPR requirements and determine everything that you will need to include here to be compliant.
Shortly, a new feature will be available that, if you choose to activate it, will force users who have not self-registered (those that were created by administrators or imported from data files or Active Directory) to accept the User Agreement upon their first login to the software.
Special Types of Data
Article 9 defines special categories of data that come with additional requirements for you, as the controller and additionally us as the processor (in certain cases). Special categories include racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, genetic data, biometric data, health data or any data concerning a user’s sex-life or sexual orientation.
Because these special categories are not related to learning or content mastery, we will soon be removing from the software any user fields that collect this information and shall not allow any user-defined fields to be created that attempt to collect it.
Right to Deletion
Under Article 17, users have the right to erasure (“right to be forgotten”). Should a user request that they be deleted, simply delete their user account and all records related to that user are permanently deleted.
Be sure that you have provided users with appropriate contact information where they can request deletion of their data. Typically, this would be in the User Agreement mentioned earlier.
Shortly, a new feature will be added that you can activate that will allow users to delete themselves. If you do not need to comply with GDPR or would rather users contact you for deletion, you may leave this feature turned off.
If you have any questions regarding these features or others that may be required to comply with GDPR, please contact our Support Staff by visiting http://support.icslearninggroup.com and submitting a support ticket.