GDPR has been in the news recently, and on the mind of companies that collect personal data via the Internet. We at Web Courseworks are in the business of helping national associations stand up an online learning business using our CourseStage learning management system. Consequently, we have been getting correspondence from our customers asking us to sign off on GDPR requirements. Yeeeeks! What is this all about? What are we agreeing to?
It turns out that even Internet giants are still figuring out what GDPR means. At Facebook CEO Mark Zuckerberg’s recent Senate hearing on privacy, an Associated Press photographer was able to snap a readable photograph of Mark’s talking points — and at the very bottom of the second page, they addressed GDPR. The media mostly paid attention to some digs at Apple’s Tim Cook in the notes, but we focused on what Zuckerberg planned to say about GDPR:
In case you’re having trouble reading that, the top line says, in boldface, Don’t say we already do what GDPR requires. That’s good advice, as GDPR might require quite a bit. GDPR stands for the General Data Protection Regulation. This updated regulation in the European Union will affect not only vendors in the European Union (EU) but those that have any ties with consumers from the EU. You may not think this is you, but making sure you are in the clear is worth your while. Penalties for violating the regulation could run to millions of dollars. The new GDPR goes into affect on May 25, 2018 and replaces the Data Protection Initiative of 95/46/EC.
The purpose of the GDPR is to protect consumer information in the EU. This law provides transparency to how consumer data is being used or not used. These consumers can speak up about concerns and have power to control where their information is going.
GDPR Key Components
CMS Wire’s article “An Introduction to the GDPR” explains the main components of this privacy protection law and what has changed from the previous Data Protection Initiative. Here’s a recap:
Consent
Organizations need to explain specifically what they will be doing with consumer information. For example, companies cannot have consumers fill out a content form and then use that information for marketing emails.
Breach
If a breach has happened, organizations must notify the appropriate party (this may include the consumer, law enforcement, etc.) within 72 hours of when the breach became known.
Rights
EU citizens have the right to know what is being done with their information. They also have the right to request their data (in an electronic format) and transfer it.
Privacy
This new legislation now enforces companies to be aware of the information they are gathering and careful about what they do with that information. Starting May 25th, consumers in the EU will have the power to control their personal information.
What US Companies Need to Know
Software as a service is among the many U.S industries that will be affected by this new legislation, according to Forbes. You may be wondering “what if we’re not targeting someone in the EU and they fill out a form?” This is a valid point! The regulations that those in the US must follow only applies to organizations that are specifically targeting someone that is a citizen of the EU, whether they currently live in the EU or not.
At Web Courseworks we’ve been happy to learn that, as a SaaS provider of learning platforms, GPDR considers us a Data Processor. Our clients’ identity management systems (such as association management systems and other ERPs) typically control the data opt-in/opt-out requirements, meaning that our clients are the Data Controllers.
In short, the Data Controller is the organization that decides to collect the users’ data, and the Data Processor is the organization that provides the technology to collect the data. Requirements—and liability—are different for Data Controllers and Data Processors. In the B2B world, that Data Controller vs. Data Processor distinction mostly maps to Client vs. Vendor.
Unfortunately for Mark Zuckerberg, it looks like Facebook is both a Controller and a Processor. At the hearing, Zuckerberg carefully stuck to his talking points about GDPR. The fact that he made sure to devote a large part of his two pages of talking points to the regulation shows that GDPR is definitely on Facebook’s mind.
Cyber-privacy is a growing concern throughout the eLearning industry. For more information on how to stay secure within your learning management system, check out our “Security Awareness Tips for an LMS administrator” blog post!
