Countdown to GDPR
What do you need to know about GDPR before it hits L&D? Richard Hyde, E-Learning Consultant at Learning Pool, tells us why GDPR is important how it will impact the L&D world.
Data is beautiful but at risk
With our incessant desire to capture and store more and more personal data comes a growing headache – how to protect it from being stolen and used for unscrupulous means? If you don’t fully appreciate the scale of global data breaches, check out the World’s Biggest Data Breaches which shows it in a visually beautiful (if slightly shocking) way.As well as only showing losses greater than 30,000 records (so there are likely to be many more smaller losses) two other things stand out:
- data breaches are growing exponentially year on year, and
- most are due to third party hacking.
The Internet has given us access to wonderful, personalised experiences from the comfort of our desks but it has also exposed us to criminals who want to steal our personal data for their own ends. The Data Protection Act (DPA) 1998 has stood the test of time but it isn’t robust enough to deal with the modern networked world we live in.
That’s where the General Data Protection Regulation (or GDPR) comes in.
The GDPR is here to help, at a cost
The GDPR will apply in the UK from 25 May 2018. This date will not move so put it in your diary. It’s a huge change, and many commentators are calling it the most significant legal shake up for decades. But it’s long overdue, which probably accounts for the scale of change it will introduce.
“GDPR is the biggest legal change of the digital age.” Mark Lomas, Capgemini
It will put the UK data protection rules more or less in line with the rest of the EU (don’t worry, we’ll talk about Brexit later).
It will introduce higher fines for non-compliance (and breaches) as well as allowing employees to have more say in what an organisation can do with their data. If you’re interested, the fines will be huge – non-compliance or breach penalties will be up to £17 million. Needless to say, this has caused a flurry of activity in IT circles of late.
Digging a little deeper, the GDPR applies to ‘controllers’ and ‘processors’ of data:
- the controller – says how and why personal data is processed
- the processor – does the actual processing of the data.
New rights for individuals will also be introduced by the GDPR (and existing rights under the DPA will be strengthened):
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- rights in relation to automated decision making and profiling.
So if you’re currently subject to the DPA, it is likely that you will also be subject to the GDPR.
Our data is secure already, isn’t it?
You may have asked this question already and received the answer ‘Hmm, we’re working on it’. Unfortunately there are some nasty surprises ahead for nearly 50% of global organisations, as a study by Veritas shows .
“Our study indicates that a whopping 47 percent of organisations globally have major doubts that they will meet this impending compliance deadline.” – Veritas
That’s not great news, but it gets worse. A recent report by Netskope found that almost 75% of cloud services still lack key capabilities needed to ensure compliance with the GDPR . So if your organisation stores its enterprise data with a third party, there are more potential woes there.
GDPR and L&D
Let’s think specifically about the impact on L&D and see if 2018 will be any rosier for us learning professionals.
The focus for learning and development is likely to be the learning management system (LMS), as this stores the most bytes of personal data for your learner population.
If you host an LMS, the GDPR will mean that:
- you must acquire explicit and unambiguous consent from your learners for the use of their data (and for a specified period of time)
- any learner will have the right to request a copy of all data held on them, including an explanation of how this data is used and if third parties have access
- any learner may request that their data profile is passed to another data processor (allowing data portability if they change organisation)
- any learner will have the right to withdraw consent and request that data be deleted when it is no longer needed.
Also, bear in mind that an employee will be able to claim compensation for any damage caused by infringement of the GDPR.
Some LMS suppliers have plans in place to support the new ‘rights’ listed above, but consent for the capture of data lies with you as the administrator of the system. Our LMS will actually go further and help with the compliance of rights by having an automated versioned system in place to track acceptance of the rights and it will detail how the system deals with your data.
Brexit will not be soft on GDPR
The burning question is ‘Will Brexit kick GDPR into touch?’ Alas, no. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. It will form part of UK law following the country’s withdrawal from the European Union . Some post-Brexit changes to the GDPR will be inevitable but the impact on organisations will be essentially the same. For instance the name might change so if you are commissioning content to support the rollout, it’s a good idea to make sure you can edit the material without any fuss or cost.
In general though, we should all stay calm and carry on with our GDPR preparations for May next year.
Is it time to panic?
Not yet, but there are some immediate recommendations below:
- carry out an information audit – document what personal data you hold in your L&D systems, where it came from and who you share it with
- speak to your LMS supplier – find out what are they doing to manage learner consent and allow personal data to be deleted and converted to a format that enables it to be transferred to another system (at Learning Pool we are ISO 27001 certified which matches up with the stringent security requirements that will be applicable when GDPR is in place)
- be wary of new experts – the deadline of May 2018 has spawned a wave of ‘experts’ desperate to help you prepare for GDPR and line their pockets in the process, so be cautious
- find your DPO – many organisations are appointing or upskilling Data Protection Officers (DPOs) to help enforce and manage the GDPR so find out if you have one
- use the Information Commissioner’s Office (ICO) – the ICO has prepared a useful 12 step guide and has promised a helpline for small businesses .
- check out the Learning Pool GDPR modules available in our new compliance catalogue. Not everyone will need the same level of knowledge so we’ve designed content around a range of users with different needs
So keep calm and make a plan for the GDPR before the countdown ends.
If you’d like to find out more about Learning Pool’s GDPR training suite, sign up for a trial.
1. World’s Biggest Data Breaches
2. Overview of the General Data Protection Regulation (GDPR)
3. Worldwide Climate Of Fear Over GDPR Data Compliance Claims Veritas Study
4. Majority of enterprise cloud services still not ready for GDPR
5. GDPR will change data protection – here’s what you need to know
6. GDPR and Brexit: UK Government unveils Data Protection plans
7. Preparing for the General Data Protection Regulation
8. ICO announces more help for small and micro businesses
Got a learning problem to solve?
Get in touch to discover how we can help