In the two years since the May 25, 2018 enforcement date of GDPR, or the General Data Protection Regulation, organizations have had to adjust their practices for capturing and storing data, disclosing what information will be collected and why, and transparency in how that data will be used. This law provides protections for individuals in the European Union (EU) or European Economic Area (EEA) about their PII, or Personally Identifiable Information, and explicitly references employers.

Yet, in conversations with a range of individuals throughout the learning ecosystem—from instructional designers to learning strategist to learning management system administrators—few were aware or believed that the provisions of GDPR applied to what they do.

Fact: GDPR provisions do apply to L&D

Among those who have confronted this firsthand is Nancy McMonigal, director, Life Sciences & Healthcare, at Bluewater Learning. She shared that “organizations, especially in Germany, cannot add Google Analytics to their LMS or other systems, as a direct result of GDPR.” Many learning professionals use the Google Analytics tracking code in their learning management systems—yet this could be a violation of the law.

What other common tools might also require disclosure or possibly be discontinued? YouTube videos and Ted talks might require a second look. Make sure your learners have opted in and understand that there is information being collected, not only within the LMS and your company… but also with these third parties, and possibly additional externals parties. For example, many websites include a “Facebook pixel”—your own company’s website very well might. Do your learners know what data is being collected, why, and how it will be used? If you are promoting or requiring consumption of this content, liability and responsibility could extend to your company for any violations of the GDPR terms.

What about courses developed specifically for your company?

Well, do you have any assessments? Are you keeping track of the answers? Or what about length of time in a course, or where people click, or the history of answers? What about the many data points now being collected via xAPI?

To stay within the boundaries of GDPR, be transparent about what you are measuring and how, ask employees to opt-in, and only use the data collected in the way that you said you would. It is tempting, once you have data, to want to evaluate additional potential trends or insights. However, as Anna Rose Leach, a graduate teaching associate, and PhD student at the University of Arizona and formerly a senior data analytics and reporting analyst at The Ohio State University points out, “Once you start looking beyond the delivered analytics and look at intention, you change the intention of the data.”

In other words, once you go beyond what you explicitly disclosed was your purpose in collecting the data, you violated GDPR. That is, once you start assigning meaning and purpose—a “why”–to the data, you’ve gone beyond what the individual consented to share. Furthermore, when the data is used for a different analysis than what was first intended, the law has been broken.

Data removal

Under the terms of GDPR, one can request that one’s PII be purged from a company’s records. Boris Khazin, head of GRC (Governance, Risk, and Compliance) services for the Business Information Solutions Practice at EPAM, laments that the “deletion of data is the big fear of businesses.”

Companies run on data, and learning has been feeling the pressure to increase their reliance on data, as well. Learning, with HR, are using data to inform decisions, promotions, and to develop learning paths that align with business performance. Yet when data must be removed, it skews the results and could lead to poor decisions based on incomplete data sets.

Having a plan for managing such data removal is imperative, beyond the physical removal of the data from the LMS itself. Historical data, historical reports, differences of new reports versus older reports as a result of deleted data—these all need to be taken into account.

Learning also needs to consider the provision in Article 22(1) limiting “automated decisions,” which result in “significant effect[s] on individuals.” Employment opportunities fall squarely within this limitation. When building out learning paths and adaptive learning, we need to be careful that these won’t limit the opportunities for that person, or those not put into a particular path, from being considered for promotions or retention. Human design of the paths upfront is not considered sufficient…and the use of artificial intelligence to completely make course recommendations would likely be suspect.

Work from home

In 2020, with the rapid transition to work from home and remote work due to the COVID-19 pandemic, learning professionals have had a leading role in upskilling or reskilling employees to adapt to this new situation. Among the many competing priorities of this transition is helping employees understand how critical it is to comply with GDPR requirements and how to effectively do so.

Many of the issues at stake were handled simply by security procedures in offices, from locks on doors to the work of the IT department. Now, with remote employees, there are significant new risks and requirements to be managed by all employees at all levels of the organization.

The GDPR.EU website notes:

Recital 83 essentially stipulates that personal data must be protected both in transit and at rest. Data is in transit pretty much any time someone accesses it. The data passing from this website’s servers to your device is one example of data in transit. On the other hand, data a rest refers to data in storage, like on your device’s hard drive or a USB flash drive.

The two keys to maintaining data protection when your teams are all working remotely are encryption and controlling access.

Many eLearning courses have been deployed, addressing issues such as using the company Virtual Private Network (VPN), two-factor authentication, and regular password changes. Have as many, though, been developed addressing issues beyond these technology steps?

“The orientation of an employee’s screen when working from home can easily result in a GDPR violation,” noted Mr. Khazin. For example, “What if there is someone else in the house who not only can see PII data on the screen, like scores on a learning assessment, and then that housemate takes a photo and, worse, posts it on social media. Perhaps the data is just in the back of a selfie—but it constitutes a clear violation of GDPR.”

Should we be worried?

Litigation pre-COVID includes Google being fined over $68.4 million for GDPR violations in Belgium, Sweden, and France. Yet it is not only huge companies facing fines. Fines have been applied to an individual for posting a video on YouTube which contained license plates.

The GDPR.EU website specifically addresses working from home and that employees need to be trained to comply with the regulation in this new environment. The pandemic does not excuse compliance. Professionals in all parts of learning and development need to help everyone in the company understand what’s at stake and how to comply.

For example, working from home (WFH) courses need to cover:

  • How to protect and later destroy printouts containing employee data
  • What can and cannot be saved or accessed on a shared home computer or device
  • Should one download or save, even temporarily, reports or any employee data to a home or personal device
  • Company policies on remote wiping of devices, including if a personal, perhaps, family device
  • What is the security of data from video conferencing tools and any integrations with an LMS, chat downloads, recording and/or posting, and how to ensure compliance with any requests by someone to be forgotten in future years

Conclusion

GDPR has had a significant impact on how companies collect and use data. It also has helped individuals focus on their own data privacy concerns and made them more intentional in what data they collect and why. With the increased capture and use of data by learning teams comes the increased responsibility to be transparent about what data will be collected, how it will be used, and how it will be safeguarded. With remote work impacting so many, learning professionals are center stage in training employees not only to be compliant, but also to become safe data practitioners and advocates.

Let’s see what the next two years will bring.

Want to learn more?

Request approval for a free course from EPAM.