How US companies can prepare their LMS for GDPR
While the Cambridge Analytica scandal unfolded before our very eyes, data protection has never been more important. Across the pond, the General Data Protection Regulation (GDPR) will go in affect across the European Union as of 25th May 2018, which will effectively allow millions of people in the region to have full control over their personal data. While the EU is making prominent strides in the right direction - what about the rest of the world?
Recently, I mentioned some of the GDPR-related, behind-the-scenes work our product and marketing teams have been busy with to some people across Canada and the United States, and I was absolutely shocked by the amount of people who responded with “What is this GDPR you speak of?” and “That doesn’t apply to us over here, we’re in America!”
This lack of knowledge of a massive data protection law is dangerous when you consider that the implementation of GDPR has territorial scope, meaning, the GDPR isn’t siloed in Europe. Any company globally that processes the personal data of EU residents must comply with the new rules. Failure to comply with the GDPR regulations means fines as high as 4% of annual global turnover or €20 million, and, you guessed it, no one is exempt even if outside the EU jurisdiction.
Gartner predicts that 50% of businesses in the United States will be affected by the GDPR and will not be in full compliance by the end of 2018.
It might seem daunting, and it might seem like your marketing teams are the only ones affected by this - wrong again. HR and learning and development teams are considered a high-risk business function with lots of ways in which they can fail to comply with GDPR.
What does a global LMS that supports GDPR compliance look like?
32% of organisations are concerned that they are unable to manage data effectively with current technology provision.
Your LMS should enable you to track the version of a site policy and any opt-ins that a user has agreed to. Users should also be able to visit the site policy pages they have signed up to and amend their agreements.
Your learning administrator should be able to export all of the data linked to a given user, which can be reviewed before handing the data over to the user. The user should be able to see what type of data processing is taking place with their data, and see how this aligns with the data policies they have signed up to.
This includes processing of items such as appraisals, 360 feedback responses, course enrolments, progress and completion and site logins. This may or may not be in a human-readable format - it just needs to be consistent.
Certain data items need to be available in a human-readable format to be ported between platforms. This may include completion data (such as courses, competencies and certifications), which a user may want to take with them to a new employer. This may be available via the learning platform reporting functionality or the user’s record of learning.
To comply with the right to erasure, your LMS should enable you to delete certain types of data from the system. You may need to keep certain data (such as certifications representing completion of compliance training), but want the ability to delete other data, such as forum posts. You could also anonymise a user’s data so it can’t be tracked back to them, or delete all data related to a user. Different types of data deletion may automatically be triggered a certain amount of time after a person leaves your organisation.
Preparing for GDPR in the US
HR and L&D teams need to understand the GDPR and what it means for their global systems that hold EU employee data, even if the company is based in the US, Canada, Australia... you catch my drift.
While there is no one-size-fits-all approach to how an organisation will prepare for these changes, what is certain is that many businesses will need to build GDPR considerations into the way they operate within the EU. Consider it a future-smart approach.
There’s no doubt in my mind that stronger data laws will eventually go into effect across other parts of the world, and it's safest to implement best-practice approaches when it comes to data privacy and protection within the workplace.
Here are some things you can do right now to help prepare for the risks associated with GDPR non-compliance:
- Familiarise yourself with the new GDPR rights
- Consult with your IT, digital and marketing teams to ensure everyone understands GDPR
- Consider hiring a Data Protection Officer to guide you through the process
- Download Totara and Deloitte Learning Solutions’ HR guide to GDPR
- Upgrade to an LMS that supports GDPR (such as Totara Learn)
If you found the information in this post useful, you may want to download our new guide to GDPR compliance and your LMS. This is designed to give you a quick overview of everything you need to know about GDPR, including some real scenarios you could encounter as an HR or L&D professional.