GDPR is one of e-learning’s hot topics in 2018. Here’s a blog that I co-wrote with Brightwave’s Head of QA, Simon Hollobon, on how it will affect L&D managers when they have a breathing space from getting learning to their colleagues about GDPR.
2018 has already seen an explosion of e-Learning production as companies all over the world ready themselves for the General Data Protection Regulations (GDPR). What is less understood is how GDPR will change the way that people produce and consume digital learning and how that impacts on you as an L&D manager.
First, a quick bit of context:
GDPR strengthens the legal rights of individual employees (or as we tend to think of them, ‘learners’) over their personal data. Employers routinely collect, store and use their employees’ personal data. GDPR makes no distinction between personal data usage at home and at work.
Three key things that employers will need to have processes in place for are:
- Gaining appropriate consent
Have employees given consent for their data to be used, either in their employment contract or by signing specific consent statements? Processes also need to cover if an individual exercises their right to withdraw or amend consents. - Subject Access Requests
Current and ex-employees can request that their employer provides them with a record of all the personal data they hold within 30 days. This may not be straightforward, as this data may be held across many overlapping systems. - The right to be forgotten
A person can request a data controller to delete all the personal data they hold (although this is trumped by regulatory and legal requirements to retain certain personal data for a period of time). The most obvious time to make such a request would after an employee has left employment. The employer’s standard leaver process will involve removing access to business systems.
But will this involve removing any of the ex-employee’s personal data also? The company may not retain any personal data for a period longer than legitimate and lawful. The meaning of ‘legitimate and lawful’ is, of course, currently up for grabs!!
What GDPR means for L&D
GDPR experts have had many high priority issues to ready organisations for, especially customer data and HR use of employee data, but L&D may have been neglected in this process. It may surprise L&D managers to learn that that you too will have the status of data controller, and all the new responsibility that implies.
There are three main areas that could impact you.
1. Employee images
Bespoke e-learning often makes use of photos or videos of employees. These add authenticity to the learning and are free in terms of cash (if not opportunity cost). Although case law will clarify this in time, a strict interpretation of GDPR is that a photo or a video of an employee is personal data.
The right to be forgotten means that when an employee leaves they can require the image to be deleted from the e-learning, leaving a gap to fill.
Whilst a policy of never using employee images is at the risk-averse end of interpreting GDPR, L&D managers can expect to make more use of stock photography and stock video for future projects. If you are planning to make use of employee images, ensure that you have a process for capturing the appropriate level of consent for using and retaining those images.
2. Profiles and online conversations
Employees have user profiles that include personal data held in several systems owned by L&D, from the LMS to your enterprise social media system and various online learningportals. Imagine a portal with a leader board for activity/completion and where people have made comments. All of this data comes under the GDPR umbrella.
When an employee leaves, what’s the correct approach? There are a few options:
a) Delete the entire user profile. Deleting the user and all their activity anticipates any future requests to be forgotten. However, any valuable comments would be deleted too. This runs counter to one of the classic benefits of knowledge management i.e. that useful knowledge does not leave the organisation when a person leaves.
b) Other methods of retaining valuable information. Keep the scores on the leader board and posted comments where they are valuable enough but change the profile name to a random string of digits (pseudonymisation). A significant proportion of leavers would make the platform look bad (both visually and politically).
c) Design away the problem. Use the options in the software to switch off functionalities which are vulnerable to the right to be forgotten. This ‘locked-down’ approach will reduce the benefits that the system delivers.
There are no simple right answers. L&D and the wider organisation will need to decide on a case by case basis how much the benefits of having communities, user profiles and social conversations outweigh the potential extra administration and clunkiness of being GDPR-proof.
3. Personalisation
Especially in large and fast-changing organisations L&D is aiming to provide a more personalised learning experience which generates recommendations for people based on factors such as course ratings, course completions and diagnostics. The algorithms which generate these recommendations use personal data.
GDPR probably has little impact on the algorithm if it is aggregating numbers independently of the identity of the person who generated them.
One risk area is using this data combined with other data in a way that has consequences beyond the consents given in the employment contract e.g. if the personalisation creates a ‘remedial’ learning path for individuals this could not be used as evidence to deny someone promotion or as part of a disciplinary procedure.
What next?
First the legal bit! These three impacts on L&D above are general trends and should not be interpreted as legal advice. Please consult with your relevant compliance departments and take your own legal advice specific to your unique situation.
If you’ve not done so already, here are a few points to consider:
- Check there is a comprehensive list of the systems your organisation uses that transfer, store and use learner personal data
- Have a map of the learning architecture showing the data process flows between employees and systems (bearing in mind that some of this may be via third parties).
- Within this learning architecture identify where and when you are a data controller rather than a data processor.
- Have you got the appropriate consents over personal data in place?
- Do you need to gain specific consents as part of one-off projects e.g. photo or video shoots?
- Have you got systems to deal with what happens to data when someone leaves, someone submits Subject Access Request and exercises their right to be forgotten?
- Do your procurement checklists for third party vendors include questions about the safeguards they have in place to ensure that learner data is handled GDPR-compliantly?
http://www.brightwavegroup.com/our-thinking/three-ways-gdpr-changes-life-for-l-d/index.html