itslearning GDPR compliant by May 2018

Information to our customers about GDPR

The EU’s General Data Protection Regulation (GDPR), approved by the European Parliament in 2016, is the most important change within data protection regulation in 20 years. It replaces the Data Protection Directive 95/46/EC and local law and regulations across the EU/EEA. The new regulation is designed to strengthen the individual’s rights to privacy and harmonize data privacy laws across Europe.

itslearning has been committed to data privacy for nearly 20 years and welcomes the new regulation. We will do our part to ensure that all our customers are GDPR compliant by May 2018. There is a big, untapped potential in using technology and cloud services to improve teaching practices and learning outcomes. One of the keys to unlocking this potential is to earn the trust of teachers, students and parents. In this sense the increased focus on data protection and privacy due to GDPR will be beneficial for all parties.

itslearning GDPR Commitment

As an organization that is already compliant with current privacy regulations, GDPR is fortunately not a big step. At itslearning, our organizational and technical security is already designed with personal data protection in mind, and we constantly update our services and procedures to maintain the highest level of data security.

For the cloud services we provide to our customers and their end users, itslearning is what both existing and new EU regulation defines as a processor. As a processor we do not decide the purpose or lawfulness of the processing, we merely process data on our customers’ behalf. The GDPR regulations force stricter requirements upon all processors of data. We will fully comply with these requirements for all of our services, including itslearning, Fronter and SkoleIntra. In itslearning we have been working with GDPR for a long time to analyse the new regulation, and making the necessary changes to our services, procedures and organization. In the coming months we will make available all documentation, contract addendums and procedures that you might need to prove your GDPR compliance. We expect to be fully compliant by Q1 2018 – well in time for the new regulations.

As a part of our commitment to GDPR you can expect itslearning to:

  • Ensure organisational and technical security for all services.
  • Help you with the documentation needed to demonstrate compliance and inform your users.
  • Provide you with new contract addendums that comply with GDPRs requirements for Data Processing Agreements (DPA)
  • Provide the necessary support for you when your users are executing their data subject rights.

itslearning has appointed a Data Protection Officer (DPO) as defined under GDPR. Most of our customers will be required to appoint or contract a DPO as part of their GDPR compliance. In addition to monitoring our own compliance and providing advice and training to our own staff, our DPO will be available to our customers and their DPOs to discuss data privacy issues.

Contact details for our DPO:
John Arthur Berg
+ 47 55 23 60 70
[email protected]

What does GDPR require from you as a customer?

Most of our customers are already hard at work ensuring their compliance to the new GDPR regulations. The amount of work needed to be compliant depends on what type of organisation you are and what processes and policies are currently in place. If you haven’t already started working on your GDPR compliance, we recommend that you appoint a project team, assess your current situation and get legal advice in order to see what needs to be done.

In general, GDPR will require you to:

  • Document and assess all processing of personal data and the systems being used. The purpose and lawfulness of the processing should be defined and you should make sure you don´t process personal data that is not needed for the defined purpose.
  • Ensure the organisational and technical security of the processing, and be able to demonstrate it. Assess your internal processes for data retention and security, and document it. Ensure that your own technology can provide sufficient technical security, and document it.
  • When you are using third-party services, like ours, to process personal data, you need to make sure that the data processing requirements are compliant with GDPR.
  • When acquiring new technology that is likely to result in a high risk to personal data, you need to perform a risk analysis – a Data Protection Impact Assessment (DPIA). As an existing customer, our services are not new technology to you. But doing a DPIA might still be a good idea and will help you in documenting compliance.
  • Users (data subjects) have stronger rights under GDPR. Our customers will have to have a process in place for taking data subject requests, and for assessing the validity of the requests.
  • A particularly important data subject right, is transparency and information. Make sure the information to your users on everything required under GDPR is easy accessible, including how they can exercise their rights. If your users are young, you should make sure this information is available to parents too.

Please note that many of these requirements are already in place under current regulations, so your organisation might already be close to compliant!

We will be updating this page as the project proceeds.

For general questions related to itslearning product and services, you can as always contact our support organisation. For contractual or commercial questions, please contact your account manager.

For specific GDPR-related questions from our customers, please contact our Data Protection Officer, [email protected] or call +47 55 23 60 70. Please note that any communication with our DPO must be in English or Norwegian.

FAQ (FOR CUSTOMERS)