Wyzed and GDPR

Posted May 25th 2018

Introduction

Enforcement of the European Union’s (EU) General Data Protection Regulation (GDPR) rules came into effect on May 25, 2018. While there’s a ton of info available about GDPR itself, it’s important as a Wyzed administrator to know how your learning system could be impacted by this unprecedented data privacy regulation.

Simply speaking, if any of your learners (employees, partners, and customers) are located in the EU, you’ll have to make sure any data collection and processing activities performed within your system are compliant with the regulation, even if your organization isn’t based there. Non-compliance comes with a big price tag, so we're here to helpmake GDPR compliance easy and effective.

Wyzed is fully aware of the GDPR requirements and restrictions and will be fully compliant with the regulation when it comes into effect on May 25. We’ve also implemented the mechanisms necessary to make our customers’ GDPR compliance is as simple as possible.

What is the purpose of the GDPR?

The GDPR’s purpose is to strengthen the rights of EU citizens with regard to how their personal data is used and how it’s protected. The legislation introduces robust requirements that elevate and harmonize standards for data protection, security, and compliance across the EU.

Personal data is any information that relates to an identified or identifiable natural person (data subject), such as:

- Name - identification number - location data - online identifier - other specific factors (related to the physical, physiological, genetic, mental, economic, cultural or social identity of that person)

Data Controller vs Data Processor

The data controller is the natural or legal person, public authority, agency or other body, alone or jointly with others, determines the purpose and means of the processing of personal data.

The data processor is the natural or legal person, public authority, agency or other body that processes data on behalf of the controller.

The purposes and means of processing any personal data related to end-users of Wyzed are defined by your system administrator, who is the Controller, and therefore must inform end-users of any data that’s going to be collected and how it will be used.

Wyzed is considered a Processor, as we are providing the use of the learning system, and a means by which our customers can collect their users’ data. Wyzed’s customer data processing activities are detailed in our Privacy Policy, which is designed to comply with the requirements of GDPR.

What does the GDPR specify for data controllers?

GDPR intensifies the standard for disclosures when obtaining an end-user’s consent, which must be “freely given, informed and unambiguous.”

Consent must use clear and plain language (Wyzed allows you to add your own Privacy Policy to sign-up pages) that is “clearly distinguishable from other matters.” As a data controller, you need to prove that any of your data collection processes comply with and follow GDPR processes in any cases in which data subjects are asked to share their personal information to access your learning system.

While familiarizing yourself with the in’s and out’s of this unprecedented data privacy legislation is paramount, it’s incredibly important to understand how any changes could affect your learning system, as well.

Among the many new rights for data subjects in GDPR, the following will apply to your learning system and you should know them well to ensure your compliance (and to avoid the big fines that come with non-compliance):

The right of access: Data subjects will now have the right to access any personal data and to be aware of and verify the lawfulness of that data’s processing. For example, if one of your learners has been taking courses with you for years and suddenly wants to know what kind of information your learning system holds about them, you must provide that learner all data you’ve collected about them (such as training records or performance evaluations).

The right to rectification: Gives the learner access to their collected data if they notice something is inaccurate or incomplete. As a data collector, you must give the learner the ability to rectify the data if it’s proven incorrect. If their data has been shared with a third party, you must also inform the third party that the data needs updating.

The right to be forgotten: data subjects can have their information removed or deleted if it’s proven that there is no compelling reason for a business to continue processing any of that information. For example, if a learner requests their data to be deleted because it is no longer useful to its original purpose, you must remove or delete the data when there is no compelling reason for a business to continue processing that information. We've provided a method for learners to withdraw their consent and request their data be deleted. We've explained this in more detail below.

The right to data portability: Data subjects can obtain and reuse their personal data for their own purposes across different services to move, copy or transfer personal data from one IT environment to another safely and securely, without hindering usability. If a learner wants to reuse any data they’ve given to you elsewhere, you are required to provide that data to them. It must be provided in a structured and commonly used and machine-readable format (such as a CSV file) and can be exported directly from the wyzed system.

The right to object: GDPR gives users the right to object to having any personal data used for direct marketing, profiling or processing for research or statistics. That means you must give LMS users a mechanism to opt-out of marketing communications any time you request their personal data. That right must be clearly presented the first time a user is asked for their personal information and outlined in your privacy policy. This means you will need to include explicit mentions of any other reasons for collecting personal data in your learning system.

The right not to be subject to automated individual decision-making resulting in decisions having legal or significant effects: Any processing activity that is wholly automated and leads to decisions that impact individuals in a significant way is prohibited unless such processing can be justified on one of three bases set out as exceptions under Article 22(2), namely: performance of a contract, authorised under law, or explicit consent. For example, a learner is required to keep any compliance training up-to-date as a requirement of their employment with your company. It comes time to renew their compliance certification and your system recognizes that the learner has failed to complete that training and this could result in termination of their employment. Under GDPR, the learner could challenge the decision and request human intervention since the decision can have significant implications to their life.

Good Privacy Practices

The GDPR introduces also the of the concepts ‘Privacy by Design’ and ‘Privacy by Default’.

Privacy by Design holds that organizations need to consider privacy at the initial design stages and throughout the complete development process of new products, processes or services that involve processing personal data.

Privacy by default means that when a system or service includes choices for the individual on how much personal data he/she shares with others, the default settings should be the most privacy-friendly ones. Moreover, Controllers must report personal data breaches to the relevant supervisory authority within 72 hours. If there is a high risk to the rights and freedoms of data subjects, they must also notify the data subjects.

GDPR and Children under 16

The GDPR takes the data of children under the age of 16 especially seriously. Essentially, personal data of a person under the age of 16 cannot be stored in your learning system without firstly obtaining parental consent. Wyzed provides a means by which to ask a user upon signing up if they are under the age of 16, but it does not provide a means of obtaining parental consent. Obtaining this consent is the responsibility of the data controller and you will need to implement procedures to ensure consent is obtained prior to a child joining your learning system, or prior to creating an account on behalf of a child.

How Wyzed Can Help You to Comply

We want to make it as easy as possible for you as the data controller to comply with the GDPR regulations. We provide you with three simple means of complying:

Adding your Privacy Policy
The first thing to do is to create your own privacy policy, and we can add this as an agreement requirement when a user creates an account via one of your sign-up methods. We can provide you with a privacy policy template to help you get started here.

Enabling your users to access and control their data
Wyzed provides your users with the ability to access and update their personal data. They are able to see when they agreed to the Privacy Policy, and they are able to withdraw their consent and subsequently request their account data be deleted. As the data controller, you will be notified of the user's request and you will have time to prevent the deletion if you decide you have reasonable grounds to retain the data.

Enabling your users to access and control their data
Wyzed provides your users with the ability to access and update their personal data. They are able to see when they agreed to the Privacy Policy, and they are able to withdraw their consent and subsequently request their account data be deleted. As the data controller, you will be notified of the user's request and you will have time to prevent the deletion if you decide you have reasonable grounds to retain the data.

Age checking for children under 16
We can arrange an "I am under the age of 16" checkbox to appear on each of your sign-up methods so that you will be notified by email should a person under the age of 16 join your learning system.

As with all of our customers, we are more than happy to work with you over voice or video chat. Please get in touch with our team today to arrange an appointment.


Disclaimer

Although we have made all attempts to ensure the accuracy of the information we provide, it cannot be considered legal advice and further clarification should be sought to ensure your organisation's compliance with local and international regulations.