GDPR Could Limit Data Use in eLearning—and Drive Innovation

Among the hottest topics in the industry these days is usingdata to improve learning, performance, and succession. Adaptive learning,personalization, xAPI, learning record stores, machine learning—so many tools canhelp customize the learningexperience. The arguments in favor of using these tools arestrong, especially given how successful targeting and personalizing data hasbeen in marketing, which has utilized these techniques for years. Just as many learningand development (L&D) teams were getting the hang of usingdata in eLearning, though, GDPR took effect. How GDPR,Europe’s General Data Protection Regulation, will affect data use in eLearning,and how L&D should respond raises many questions—as well as potentiallyspurring positive developments.

Companies’ use of data came under intense scrutiny followingrevelations of misuse of Facebook data by Cambridge Analytica. The timing ofthis scandal, right before the full implementation in late May of GDPR,highlighted the reasoning behind the law: An individual should own the dataabout her/himself.

For business leaders looking to expand their use of data toadvance learning objectives, it is worth keeping in mind the potential pitfallswhile crafting a data plan and data policies to ensure that the letter andspirit of the law, and employee trust, are protected.

Note: Nothing in this article should be interpreted as legaladvice. Seeking professional legal counsel on GDPR compliance is stronglyadvised.

Among the provisions of GDPR are a few top-level concepts:

1. Who owns an individual’s personal data?
2. Portability of personal data
3. What personal data will be collected, why, and howwill it be used?

Who owns an individual’s personal data?

The answer to the first question is clear andconcise: The individual owns her/his own data. 

Portability of personal data

Learners should be able to transfer datacollected in a learning program to another system, potentially at anothercompany.

This goes counter to how most US companies operate. While managersapplaud talent development and career pathing, ultimately, it is the businessrequirements and business objectives of the company that govern employment andadvancement decisions. In most cases, ownership of data about employees,including certifications, performance reviews, promotion histories, etc., lieswith the company—not the employee.

On the subject of eLearning, LinkedIn and companies likeUdemy are making strides, as they make it possible for individual learners torecord and share their certifications. This creates a kind of centralized LMS,either replacing or supplementing the records held by an employer. According tothe Bureau of LaborStatistics, the average Baby Boomer worked about 12 jobsbetween the ages of 18 and 50. With job changes likely to become more, notless, frequent, the need for employees to own their learning histories andcredentials is increasingly clear. Yet most employers do not have the means (orwillingness) to provide learning histories to their employees when they leave. Article20 of the GDPR, which pertains to data portability, couldspur changes in that approach.

Collection and use of personal data in eLearning

It might beuseful to regard GDPR as a wise guide, rather than an enforcer. Article 5,Section 1, states that personal data shall be “collected for specified,explicit, and legitimate purposes and not further processed in a manner that isincompatible with those purposes.” Combined with Article 25, pertaining to dataprotection by design and default, GDPR’s regulations may protect the eLearningindustry from pitfalls experienced by marketers.

Over theyears, marketers became enamored of data—the more the better. Among the massiveamounts of data collected, many great insights are gathered—but also a plethoraof data that will not be used, that is not necessary, and that is not directlytied to the original reason for collecting the data. In the world of GDPR, thismust change.

Corporations—andeLearning professionals within those businesses—need to ask, “Is what we’remeasuring and tracking really necessary for what we are explicitly trying toachieve?” Viewed through the lens of talent development and future talent gaps,this does create limitations on the collection and use of personal data ineLearning.

GDPR requires that there be a specific, pre-determinedreason to request or track information. This purpose, and the planned use ofthe information, must be disclosed prior to collection. Learners must consentto the collection of data. In addition, safeguards need to be in place to ensurethat information is used only in the ways disclosed at the time the employee optedin to the tracking or data collection. Note that some countries haveadditionally restrictive policies around the collection and use of data,especially if it can be traced to a known person, so caution and legal advice arecritical.

With these caveats, L&D teams should collect only theminimum data needed for a defined purpose—and use it solely for that purpose.

While these limitations could inhibit some personalizationof eLearning, if the eLearning developer clearly explains why particular datais collected and how it would enhance the learner’s experience, the data collectioncould be acceptable to many learners. Prior intent and disclosure are the keys.

Looming issues with data portability

As an industry,it might be time to work toward consensus—a common standard for portability—amongSCORM, AICC, and xAPI.L&D professionals need to think about the technology eLearning employs andhow it supports data portability. GDPR also requires the ability to beforgotten—the right to ask companies to delete personal data; therefore technologymust support that requirement.

Portability,combined with data ownership, requires a shift in approach from internaltracking systems within companies to, potentially, connected solutions wherebyindividual employees have ownership and responsibility for the maintenance oftheir own learning records throughout their careers, no matter where they work.Credentials or certificates would need to be validated by an employer or hiringcompany; blockchainoffers a possible model. In theory, this could return the role of the L&Dprofessional to one of strategy and real leadership versus record keeper andadministrator. Or it could encourage employees to remain with a company thatmanaged their information for them as an employee benefit.

The era ofportability has its share of open issues: Executives must consider whether thesharing of specific employee data, such as what courses they’ve taken or theirscores on assessments, could reveal proprietary information. The possibilitythat companies could focus on recruiting talent from rivals simply to gainaccess to data about how people are trained, onboarded, developed, and promotedcannot be discounted. Nor can the potential for companies to reverse-engineercompetitive information, based on newly obtained employee learner data.

Concerns onthe L&D plane include whether justification exists (and is provided tolearners) for how data will be used and why that information is needed toachieve stated aims. Processes are needed for making and approving thesedecisions, as well as for determining who has access to data that has beencollected. Additional procedures are needed to ensure that data collected forone purpose is not used for a different purpose or shared with unauthorizedparties, even within the company.

Deciding what data to collect

Creating policies and procedures around data collection,security, and portability is an ideal opportunity for greater synergy between L&D and the C-suite.

These teamscan work together to identify the metrics that the executive team cares aboutand what data is needed to return those numbers. Whereas L&D sometimes getscaught up in registrations and completions, time viewed, frequency of consumingcontent, or learner evaluations of a course, these are not metrics that supportdigital transformation or improved business efficiencies. Neither is engagement(however one defines it) a business metric, so that doesn’t move theconversation forward.

Partneringwith business unit leaders to understand what metrics they have to report oncan reveal the data points that, it would seem, companies can legitimately requestto capture and process. This is also where the use of data to deliver anadaptive learning experience is justified. In this scenario, the data andrelated learning are directly tied to business outcomes. Personalization isn’tdone because it can be done. Rather, personalization is done because it needsto be done.

To get atthese dual-purpose metrics, L&D teams can ask:

1. What are the business outcomes that need to be achieved?
2. What are the metrics that define success?
3. What metrics show baseline status?
4. What key performance indicators (KPIs) will demonstrate progress?
5. How will those KPIs be used to personalize continued eLearning?
6. Who will have access to the data collected?
7. How will portability or right-to-be-forgotten requests be met?

Approaching data gathering with clear goals could reduce theways that GDPR feels like a brakeon data use in eLearning—and increase the ways it feels like a trigger for innovation,improvements that will benefit companies and employees alike.