The EU’s General Data Protection Regulation (GDPR), approved by the parliament in 2016, is the most important change within data protection regulation in 20 years. It replaces the Data Protection Directive 95/46/EC and is designed to give back the user control of his data and harmonize data privacy laws across Europe. This will protect and empower all EU citizens’ data privacy and reshape the way organizations across the region approach data privacy. All companies doing business with individuals located in the EU must comply with the provisions.
As the provider of Europe’s largest learning platform, with more than 20 years experience working with many of Scandinavia’s and Europe’s leading education institutions, we are taking all necessary steps to comply with GDPR, well in time for the new regulations in May 2018.
We are fully committed to complying with the privacy and security regulations which are applicable to our organization, our partners and our customers. Our system and services are designed to the ground to protect personal data, and we constantly update our platforms and services to maintain the highest level of data protection.
Our work towards GDPR compliance started in early 2017 with a complete audit against the legislation, which defined the milestones needed to comply with the new regulations.
The following customer-facing milestones have been identified:
- Appointment of a Data Protection Officer – Q3 2017
- Update documentation with new processes regarding the usage of personal data and the security measures around it – Q4 2017
- Implement the technical solutions to comply with GDPR – by start of year 2018
- Update customer and third-party Data Process Agreements – end of Q1 2018
- Internal control processes in place to ensure that we will continue complying and improving after the 25th of May and onward
What does it mean for you?
As an itslearning customer, it means that during the start of 2018 you will get the information necessary to feel confident that itslearning complies with GDPR. itslearning, as a processor of data, has the duty to provide information about our systems to allow all controllers to comply with the new regulations.
If you are an itslearning user, it means that we will take all the necessary measures to protect your data and that you will be able to find out what information we have about you.
As a service provider we welcome the GDPR as a great opportunity for our organization to re-assess digital strategy and build better services for our customers. All our clients and customers can be assured that we will fulfill all our obligations, both in regard to developing our system solutions and in regard to storing and protecting personal data according to the new regulations.
Will GDPR require us to get consent from all of our users (or their parents)?
For most of our customers, no. Under GDPR, consent is only one of six lawful reasons to process data. Our customers need to choose the lawful basis that most closely reflects the true nature of the relationship between you and your users. For most of our customers, consent would not be the most appropriate lawful basis for the processing. For many of our customers, the lawful basis of processing would be related to tasks performed in public interest or related to your legal obligations.
Can itslearning use personal data for their own purposes?
No. Both currently and under the new GDPR regulation we can only process data on direct instructions from our customers. The data is yours, and only a handful of itslearning staff has access to personal data under strict confidentiality and security. We can only process personal data independently if it is vital to the integrity or security of the service, or to analyse or evaluate the quality of the service provided.
What kind of information are we obligated to provide users about the personal data processing?
The right to transparency and information to the users (or their parents) is strong under GDPR. Information you need to make easily available may include:
- Identity and contact details of the controller / controller’s representative
- The contact details of the Data Protection Officer
- The purpose of the processing and the legal basis for processing the data
- Any intentions to transfer personal data to a third country (outside EU/EEA) and what safeguards have been put in place, and means of obtaining a copy of it.
- The period for which the personal data will be stored, or criteria that determine the period.
- The data subject’s rights (Access, rectification, erasure, etc.)
- The right to lodge a complaint with the supervisory authority
- Where the data originates from
- Any use of automatic decision making/profiling.
Can any of our users now require us to delete their data (“AKA right to be forgotten”)?
Probably not. A user can only require their data to be deleted if the lawful basis of the processing is Consent (see above) or if the original purpose or lawfulness is no longer valid. Our customers will have to have processes in place to carefully evaluate data subjects’ requests for their data to be deleted. You can contact our Data Protection Officer for advice in difficult cases. If a data subject is granted the right to be deleted, itslearning will, either through our software or our support services, be available to help execute a data subject’s rights.
Can our users now require us to give them a copy of all their personal data?
To some extent, yes. All your users now have strong rights to transparency, information and data access. Any data subject can exercise his rights in requesting a copy of all their personal data, as long as it doesn´t adversely affect others, or if this data isn´t already available to him/her. However, this is not an absolute right; other laws might require you to protect the data subject, or others, from accessing certain types of information. You will need to carefully evaluate these requests under GDPR against rights and obligations in other regulations. You can contact our Data Protection Officer for advice in difficult cases. If a data subject is granted the right of access, itslearning will, either through our software or our support services, be available to help execute a data subject’s rights.
Can a user contact itslearning directly (e.g. student, parent, teacher) to exercise his rights under GDPR?
No. Under GDPR, the data subject (user) rights is between him and the controller (our customers). Any data subject requests from end users to itslearning will be handed over to the customer. itslearning will cooperate in good faith with customers to ensure they can exercise the rights of the data subjects in a prompt manner.
When does itslearning delete personal data?
itslearning deletes personal data when instructed by our customers, or if the contract between us and the customer is terminated. The procedures around deleting customer data upon termination of service should be provided in writing or in a Data Processor Agreement.
An instruction to delete a user in our services can either be manually performed in the platform by a customer representative, automatically performed through an integration with a student administrative system (or similar) or upon request to our support organisation.
When users are deleted in our systems, there are safeguards in place to prevent errors leading to an irreplaceable loss of data. In many cases customers will have to manually confirm the deletion of customer data, including personal data.
Does itslearning have to notify users if they have been affected by a data breach?
Do I need to appoint a Data Protection Officer?
In many cases, Yes. You are required to appoint a DPO if you:
a) Are a public/government institution
b) Process certain types of sensitive data on a large scale
c) The processing involves large-scale monitoring or surveillance
Please note that it is the organisation, not the system, that needs a DPO. In many cases, your organisation might already have a DPO. The DPO can be a contracted role. Many government institutions offer DPO services to other institutions.
Can I require a cloud service provider, like itslearning, to only host personal data in my country?
One of the main objectives of the new GDPR is the free flow of personal data inside the European Economic Area (EEA), under one common regulation. In most cases, restricting vendors in processing data across the EEA would not be permitted under GDRP.
Does itslearning process data outside the EEA? Is it allowed to process data outside the EEA?
For most of our European customers, itslearning processes all personal data inside the EEA. There are some exceptions in cases where itslearning facilitates optional integration to 3rd party non-EEA based tools or services. In these cases, both itslearning and our customers must follow the requirements set out by GDPR.
I have heard that itslearning is not secure enough under GDPR! Is this true?
GDPR does not set out detailed requirements for what constitutes a “secure” cloud-based service. It is the joint responsibility of our customers (controllers) and itslearning (the processor) to provide appropriate organisational and technical security for personal data processed, and be able to demonstrate it. The main change from current regulations to GDPR is a strengthening of liability for organisations that do not provide appropriate security.
For two decades, itslearning has successfully protected the processing of personal data of millions of users. However, past performance is not always indicative of future results. So, we continuously invest in organisational security, network and infrastructure security, and application security to ensure we can offer beyond what is appropriate security for our end users. We also regularly allow 3rd parties to audit our security, and we welcome our customers to perform their own audits.
As most software companies, itslearning does not go into detail about security measures in place. But amongst the safeguards and processes in place to protect against known threats, including:
- Application security, such as use of encryption of all traffic, strongly hashed passwords, safeguards against vulnerabilities such as Cross site scripting, SQL injections, phishing and others.
- Network security, firewalls and systems to detect suspicious behaviour, or to stop malicious attempts to gain access, or compromise the resilience of the service (e.g. DDOS attacks).
- Organisational security, like access policies, audit logs and confidentiality agreements.
- Physical security to ensure the prevention of unauthorized access to infrastructure processing personal data.
- Procedural security – IT management processes to minimize the risk of human errors, or testing regimes to identify software weaknesses before releasing new features to our cloud services, or policies to ensure data is only processed on instruction from our customers.
Where does itslearning obtain personal data about users?
itslearning does not independently obtain user data to our services. User data can either be manually submitted to the platform by customers’ representatives, through an integration with a third-party system, or in some cases by the users themselves.
Most commonly, personal data in itslearning comes from “student information systems” under the control of our customers. We only import data from third-party systems on the instruction from our customers.
Does itslearning send data to 3rd parties?
Does GDPR impact US customers or US end users?
But itslearning offers, for most parts, the same services and same level of security to our US customer as European customers. US customers will benefit from itslearnings approach to, and culture for, security personal data under GDPR. The fundamental principles in European personal data protection is a part of or fabric and contractual commitment we offer to our US customers.