The GDPR is Coming, and it’s a Good Thing
Whether you live in the European Union (EU) or not, you’ve probably heard about the GDPR by now. It stands for the General Data Protection Regulation and it is designed to strengthen and unify data protection for individuals in the European Union. It will go into effect on 25 May 2018, and at that time all companies or individuals who are either established in the EU or who handle personal data related to individuals in the EU either to offer those individuals goods or services or to monitor their behaviour (including their online behaviour) will need to be compliant with the regulation. The GDPR outlines a whole new set of digital rights, and EU companies and companies doing business with individuals in the EU must recognize these rights.
If you would like to learn more about the GDPR, the EU has provided an excellent resource site outlining the protections for individuals and how to attain compliance with its requirements.
So, what is Echo360 doing to be compliant with the GDPR? The good news is that our existing data protection procedures were already strong and in line with the GDPR guidelines. However, we are implementing a few additional measures to ensure compliance and support all our users globally. We’ll take a brief look at each of these steps below.
Data Protection Officer
Echo360 has appointed Charlie Bassham, our VP of Engineering, as our Data Protection Officer (DPO). In his role overseeing the development of the Echo360 platform, Charlie will ensure that strict and proper data practices are applied to the design and implementation of the platform. As our DPO, he will also ensure that our general business practices and corporate IT policies are in line with the GDPR and protect individual rights and privacy.
New EULA and Privacy Statement
We are updating the language in our EULA (End User License Agreement) to inform administrators of user rights in regards to any personal data in the system and to solicit their consent for engaging with our service on behalf of their institution. We are also updating our Privacy Policy and informing all instructors and students of their rights regarding their data in the system. This will affect users in the following ways:
- Administrators will see an updated version of our EULA and will need to explicitly opt-in before they can use the system. This is the same behavior as exists today, but the EULA text itself will change and the update will require consent from all administrators.
- Students and Instructors will see a modal displaying a Privacy Statement, which is a brief overview of what the updates to our Privacy Policy mean in simple terms. The Privacy Statement will link to our Privacy Policy, which will open in a new tab, for anyone who wishes to read the details. Instructors and students do NOT need to explicitly opt in or out of the policy, but simply close the modal containing the Privacy Statement to access the system as usual. ALL Students and Instructors, whether new or existing, will have this privacy statement containing the link to the privacy policy shown to them.
To ensure universal compliance to meet the GDPR requirements, we are also implementing new workflows to ensure that all users are presented with the appropriate message, no matter how they first enter the system, including via the LMS. This update means that some users who may not have seen a Privacy Statement in the past will now be presented with one and will need to dismiss it before proceeding to use our service.
User Accounts: Deactivation vs. Deletion
Deactivation
Today, administrators have the ability to deactivate an individual account within Echo360 which removes the user’s ability to log into the system while retaining data associated with the user for historical purposes. In many cases, when an admin is looking to remove a user from active use of the service at the institution, deactivating the user’s account will continue be the best option.
Deletion
However, a key provision in the GDPR outlines an individual’s “right to be forgotten.” If for some reason an individual user requests that their personal information be removed from the service, administrators will need the ability to support this request. To address this requirement, we are implementing a new protocol for administrators to delete accounts within Echo360. These new account deletion capabilities are designed to support an individual’s data protection rights as outlined in the GDPR, while also maintaining a consistent and positive user experience for remaining users within the service and the institution. Therefore, when an administrator selects the account Delete option, the following protocol occurs for the account:
- Personal Information
All personal information related to the specific user will be deleted from the system. This includes First Name, Last Name, email, password, picture, and UserID. This process is non-recoverable. - Media
If administrators wish to preserve a user’s media and have appropriate rights to do so, they will need to use existing functionality to archive or reassign content before deleting the user. - Shared Class Engagement
Since Echo360 is a collaborative learning environment, deleting a user’s engagement data can affect other users in a negative way. For example, if a user answers a question in a class discussion, and this answer later disappears when the user gets deleted, it would create a hole in the thread. Therefore, if a user account gets deleted, their class engagement data will remain, but it will be anonymized with no way to re-associate it with the user.
Technology Partner Validation
Echo360 relies on several components from partner providers, both in the platform and to support the daily operation of the business. We are validating that all partner technology providers are either compliant with the GDPR already or have a plan to be so by the 25th of May. Fortunately, all our technology partners do business in the EU and have stated their intention to comply with the upcoming GDPR requirements.
Secure IT Practices for All Employees
The GDPR mandates secure IT practices for all personal data held by the company and any of its employees. To ensure compliance, Echo360 is conducting an audit of all employee equipment and practices. All employees must have their operating systems up to date, use encrypted storage, and run malware protection on their computers. Furthermore, those employees working to develop, support, and administer the platform will not transfer personal data out of the region of origin except when necessary and when there is a lawful basis for such transfer.
Data Security Document Set
Echo360 is assembling the various documents that outline our compliance with the GDPR into a single digital package that will be available upon request. This document set will have the level of detail needed to demonstrate compliance with the GDPR for all clients and prospects in the EU.
Communication
Echo360 is committed to supporting the GDPR and the rights of all our users. We are well on our way to completing the tasks outlined in this post with some already in place. We will post an update before 25 May 2018 letting you know when we are fully compliant. At that time, the document set described above will be available upon request.