E-learning and the General Data Protection Regulation (GDPR)
The protection of personal data is not a new topic. The implementation of the GDPR, however, will introduce some significant new elements :
- 1 / The harmonisation of rules at the European level, most notably those requiring companies to have a certain number of tools to allow them to track data processing. It will now be mandatory throughout Europe to know when and how data was collected, recorded, stored, transferred and deleted.
- 2 / The obligation to inform users of the specific intended use for the data that concerns them. Data collectors must receive the express consent of individuals for the use of their personal data.
To comply with this obligation, Dokeos is working to add clear statements to all the key stages in terms of data collection and processing (account creation by the platform administrator, account activation by the learner, etc.).
GDPR and LMS : how to build Accountability
Companies that use private data about their employees must now determine if this data is collected for a specific, appropriate and relevant purpose. Furthermore, they undertake to hold accurate or up-to-date data, stored for the required period , that is identifiable for each individual concerned and protected against any unauthorised processing.
Individuals who have consented to the use of this data may change their mind and ask the data controller to modify or delete this information as soon as possible (right to be forgotten).
Every individual involved with the data for an LMS must be aware of their responsibilities and the risks incurred in the event of non-compliance with data protection rules. In order to promote this awareness, Dokeos is preparing a contract amendment for its customers in which the GPDR will be put into context.
Data traceability and technical documentation for procedures
The GDPR also aims to take all possible situations into account. To do this, it is important that the procedures for all stages of data processing be documented — creation, enrichment, modification, deletion.
Imagine a learner asking their training manager to delete their data. The technical documentation must specify the list of persons who have been authorised by the employer to delete the data, the different places where the data is stored and the procedure for deleting it. The period in which Dokeos must make this operation possible will also be specified, as will the procedure for deleting any backups.
It is also important to be able to trace the data flow to third parties, be they partners with whom the Dokeos LMS is interfaced or the customer’s HRIS.
Objective: 100% encrypted
The GDPR also entails the strengthening of data encryption . In other words, in the event of a security breach, malicious hackers will not be able to decrypt the data. In the event that they gain access, the data will be unusable as it is illegible. We also plan to increase the frequency of pen tests to further reduce the risk of security breaches, an inherent risk for any application or software in SaaS mode.
The Regulation gives the supervisory body the power to impose financial sanctions of up to 4% of a company’s annual global turnover or €20 million (whichever is greater). As a supplier, Dokeos is responsible for the data entrusted to it by each customer regarding their staff. This responsibility is not a new one. What will change are the rights of the user: the right to refuse consent, right to erasure and right to portability, i.e. the right to transfer the data provided to another data controller.
Encryption, procedures, technical documentation, software enhancement, contract amendments…: compliance with the RGDP has been one of Dokeos’ key priorities for several months. Do not hesitate to contact us if you have any questions. Contact us