GDPR made easy, taking care of your users’ data on your e-learning platform
By Daniel Ribes, Senior PHP Developer, at Actua Solutions
The GDPR is the European regulation to regulate the protection, processing and circulation of personal data that any company in the European Union or having business activities in an EU country has to comply with.
Surely your company has already adopted measures and procedures to manage it, but the GDPR especially affects e-learning platforms because of the amount and types of data they collect from users.
For this reason it is important to be clear about how our e-learning platform manages it, so that the procedures required by this legislation do not become a headache.
What are we facing? The GDPR defines 3 categories of data:
- Personal data
- Special category data
- Personal data of a criminal nature
And it regulates 8 rights of users with their data:
- Right of access
- Right of rectification
- Right of opposition
- Right to suppression (to be forgotten)
- Right to limitation of processing
- Right to portability
- Right not to be subject to automated individual decisions
- Right to information
As you can imagine, it is easy for the e-learning platform to collect a lot of data from the first category “Personal Data”, since this is the group of data that allows identifying a physical person: name, email, telephone, ID number, employment information, academic information, etc. Data that usually make up what we call the “user profile”.
But how is this data handled beyond the functional use of the platform? And especially how are users’ rights guaranteed with their data?
This is a very important aspect because it is basically on which the RGPD is based and if we do not have it well resolved we expose ourselves not only to administrative sanctions for not complying with the legislation, but also to the enormous volume of work that can be generated manually by the processes that guarantee these rights.
A user can usually access his/her profile on the platform, view his/her data and make changes (right of access and right of modification).
But is it easy to suppress them? (right to be forgotten) Do you have the option to refuse collection? (right to information and right to object).
In a common case, a user may request a file with all the data stored on the platform (right of access and right of portability), this not only affects the user’s profile data, but also components that add functionality to the platform, such as evaluation activities, comments in the forums, etc. Is the platform prepared to generate this file?
Usually, when evaluating an e-learning platform, we only think of the functional characteristics strictly related to learning: content, follow-up, reports, training plan, performance evaluation, etc. But is the platform prepared to easily handle all user requests regarding the processing of their data? It should be.
An elearning platform such as Totara, aimed at the corporate world, offers solutions that combine a high degree of customization with the possibility of automation that helps us save work related to GDPR.
Site Policies. Inform the user of his rights.
The first thing is to inform the user of their rights, what data will be collected and how it will be used.
This is done with the site policies, an informative page that is presented to the user. Totara makes it easy for us to create one or multiple site policies depending on the needs of our organization. Each policy can have one or more confirmations from a user and these can be reviewed in the user’s profile.
Any new policy or modification will be shown to the user the next time he/she logs in to the platform, in order for him/her to give his/her consent, otherwise the session will be closed.
Totara also allows users to change their decision and re-consent or withdraw consent on any of the policies that apply to them.
This gives total ease to the platform administrators and guarantees users the right to information and the right of opposition.
Management of “Privacy Policies” in Totara, in this example we see different versions that have been used at different times, and with up to 5 different languages (Translations column).
Access and modify.
Once the user has accessed the platform, in his user profile he can view and modify the basic personal data that Totara collects, but also in his profile is where he has access to a section of user data that shows a report of all types of data that are collected through all Totara’s features and the amount of these.
In this section a user can see how many forum contents he appears in or how many SCORM tracking records exist for him. The user has the autonomy to access and consult it so that without any intervention on our part we already resolve the rights to information, access and modification.
Export and delete.
As soon as the platform stores a user’s data, the user, exercising his or her right to portability, can ask us to export all of his or her data. Or if, for example, an employee leaves our organization, he/she can even ask us for a data purge, i.e. a complete deletion of his/her data by exercising his/her right to be forgotten.
Both processes can involve significant administrative work if the platform we use does not have it well solved. Totara allows us to easily customize and automate these two processes.
In the case of data export, we have the user data export type functionality with which you can configure how this export will be performed, alternatively we can also configure it so that in the user’s profile there is an option to request this export, in this way the user will have the autonomy to request the export.
When the export is performed, which due to the volume of data is not immediate, Totara generates a ZIP file containing a structured JSON with all the data, which is made available to the user during the next 5 days after the request.
In the case of data deletion, the operation is similar, Totara allows us to define the type of data purge, the scope it will have and automate when it will occur. For example, automatically when a user is put in suspended mode, or when he/she is removed from the platform.
All these processes are easily configurable from Totara’s administration options.
Detail of the creation of a “data export type” in which Totara allows us to define exactly the type of data export that we make available to the user.
Someone has to manage all this.
Applying the RGPD there must be in our organization the figure of the DPD (Data Protection Delegate) someone responsible for ensuring that the correct processes are applied and that attends to user requests. For example, who ensures that a data export request and its subsequent download by the user is fulfilled.
In Totara, an administrator user can be configured with access roles to these functionalities, who assumes these tasks and is in charge of configuring the export and purge types and deciding the data process that is available to the user, as well as auditing the requests received and their status.
No friction for anyone.
In short: the implications of the GDPR may go unnoticed until the moment a user decides to exercise their rights, at which point the facilities we have in our elearning platform can mean the difference between having a serious administrative problem or not having to worry about hardly anything.
If we cannot attend correctly to our users’ requests or if we have to manually solve some processes, we will cause friction in the use of our platform.
Having these processes solved in the way Totara does it gives us more peace of mind and becomes one of those key features to take into account, which at first are almost invisible, but in the medium and long term they make our life much easier and give peace of mind to our Compliance department.