GDPR, or the General Data Protection Regulation, is set to be enforced later on 25th May 2018, with those organisations who are not yet compliant facing huge fines.
Anyone who deals with EU organisations probably feels as though they can’t escape the constant talk about GDPR at the moment.
There’s plenty of information available about GDPR itself, but it’s also important to understand how this change will affect you and your learning platforms.
We’ve put together some scenarios to show how each of the new rights might apply in practice – and don’t forget that if you use Totara Learn, our new Totara Learn 11 release is designed to make GDPR compliance as easy as possible.
1. The right of access
Alex has been taking a health and safety course on your LMS at your organisation, Everglade Enterprises. They have been with the organisation for five years, and want to know what data you hold about them.
Under GDPR, the right of access means you must give Alex all of the information you hold about them, including training records, performance evaluations, management feedback and appraisal comments.
2. The right to rectification
If Alex requests their data and notices that something is inaccurate or incomplete, they have the right to have this rectified within the system. For instance, if they can prove that they completed a course that is not showing up on the system, this must be updated accurately.
If you have shared this data with a third party, you must also inform them of the rectification where possible.
3. The right to erasure
Alex has the right to request that all of their data is deleted from your system. However, not every request for erasure must automatically be complied with.
For instance, Alex may request that their data is deleted if the data is no longer necessary for its original purpose and this should generally be granted, but a request for the erasure of data which is legally required, such as a record of compliance training, does not have to be granted.
4. The right to restriction of processing
Under the right to restrict processing, your organisation may store data, but not further process it.
For instance, Alex may contest an assessment score stored in your LMS – in this case, you can keep this data stored in your system, but not process it further until the data has been either verified or amended.
5. The right to data portability
This right means that if Alex wants to take the data they have given you and reuse it elsewhere, you must provide this data to them. This makes it easier for Alex to transfer their personal data between IT environments.
For example, if Alex wants to access a third-party career planning website to analyse their current skills to date, they have the right to request the personal data you have stored about them at Everglade Enterprises for reuse in the other system.
You must provide this data in a structured, commonly used and machine-readable format, such as a CSV file, which, ideally, could be exported automatically by your LMS.
6. The right to object
Perhaps signing up to your LMS automatically registers users for marketing emails, whether they opt in or not.
Under GDPR’s right to object, Alex can object to having their personal data used for direct marketing, profiling or processing for research and statistics. This right must be presented to Alex at the point of first communication and in your privacy notice, meaning you will need to add explicit mentions of any other reasons for collecting personal data on your LMS.
7. The right not to be subject to automated individual decision-making resulting in decisions having legal or significant effects
Yes, it’s wordy and unlikely in a learning context but here is an extreme example for Alex:
Let’s assume Alex has to keep their compliance training up-to-date as a condition of their employment. One year they fail to complete their compliance training on time and go overdue. An automated system in the organisation terminates Alex’s employment with the organisation.
In this case Alex could challenge that decision and request human intervention in the decision as it has a significant effect on them. It’s highly likely the organisation would be forced to change this process.
HR Guide to GDPR
As you can see, there’s a lot for L&D and HR teams to get their heads around. That’s why we have collaborated with Deloitte to put together an HR guide to GDPR to help you ensure that your learning platforms will be compliant from 25th May 2018.
Or get in touch if you have questions about Totara Learn 11 and how it supports GDPR.
Legal disclaimer: The opinions and recommendations in this blog post should not be construed as legal advice. Totara recommends that entitles subject to legislation seek legal counsel from qualified sources.
