EU General Data Protection Regulation


Introduction

GDPR stands for General Data Protection Regulation and is an EU privacy law that goes into effect on May 25th, 2018 [1]. GDPR applies to all businesses with a nexus in the EU or that target an EU audience in their marketing materials [2].

GDPR is designed to protect the sensitive personal information of end users, such as passwords, addresses, financial information, medical records, and criminal history. But it also extends to other personal identifying information such as name, photo, government ID numbers, and IP address. [3]

Businesses have a financial incentive to follow the law. If a violation of GDPR is reported to a business and it does not take timely action to correct the violation, then it can be subject to fines of up to 20m Euros or 4% of total revenues, whichever is greater. Fines depend on the severity of the breach and on whether the company is deemed to have taken compliance and regulations around security in a serious enough manner. [4]

Data controllers and Data processors

GDPR has a joint responsibility model that’s split between a “Data controller” (a company that provides a service to end users) and a “Data processor” (a company that provides a service to data controllers which includes storing and processing of end user data). [5]

A data controller relies on its data processors to take good care of the end user data. If a data controller hears from a data processor that there has been a breach and the breach is serious enough, the data controller must inform their end users within 72 hours. [6]

A data controller must also provide end users with a clear description of how they will use their data and get an explicit consent for this usage. A data controller must also provide a way for end users to download their data in a portable way, withdraw their consent, and for removing themselves (and their data) from the service. [7]

A data processor stores end user data on behalf of the data controller and must ensure that this data never falls into the wrong hands. Data processors must follow industry best practices including encryption of passwords, PCI compliance, and ensuring the security of data transferred to/from the EU. [8] In the case of a breach, a data processor must inform the data controllers in a timely fashion.

A data processor may themselves use third party services to store and process end user data, and in this case the data processor must ensure that these third party services are also GDPR compliant.

How CYPHER LEARNING is GDPR Compliant

CYPHER LEARNING is primarily a data processor, since we offer our cloud-hosted LMS to organisations. Those organizations are data collectors, since they sign up end users and those users enter data into our system. To be compliant as a data processor, we do the following:

  1. Follow industry best practices to ensure the security of our system and prevent breaches. For more details about our security features, visit our public FAQ.
  2. Provide clear privacy policies, which are documented here.
  3. Provide our customers with a framework that allows policies to be required for particular account types and/or visitors.
  4. Allow policies to be versioned (which then requires re-acceptance and reported on.
  5. Allow end users to withdraw their consent from policies if desired.
  6. Allow customers to provide end users with self-service data export for data portability.
  7. Allow customers to provide end users with the ability to self-delete their accounts or request that their accounts are deleted.
  8. Provide end users with a set of privacy settings.
  9. Commit to alert our customers with a timely notification of any serious breach.
  10. Use the EU-US and Swiss-US Privacy shield for EU-US data transfer.
  11. Confirm that the third party services and systems we utilize for the operations of our product are also GDPR compliant.

CYPHER LEARNING is also secondarily a data controller since we require the person who initially signs up for our service to enter some data such as their name and email address. To be compliant as a data collector, we do the following:

  1. Provide clear Terms of service and Privacy Policy.
  2. Provide a method to self-delete their site and all related data.
  3. Use industry best security practices to protect against data breaches.
  4. Commit to alert our customers within 72 hours of any serious breach.
  5. Provide clear privacy policies, which are documented here.

Third party optional integrations in our App Center

CYPHER LEARNING products include a wide variety of optional integrations with third party products via our App Center, and most of these party systems can be considered as a data processor. We do not warrant that these third party products are GDPR compliant, and expressly disclaim any liability for damages which may occur if those third party products are breached.

We also expressly disclaim legal responsibility for having to notify our data collectors or end users if third party systems that we provide optional integrations with via our App Center are breached. Our customers are expected to have a separate contract with each third party system that they integrate with CYPHER LEARNING products, and we recommend that our customers contact each of these third party providers to see if they are GDPR compliant.

Disclaimer

The information on this page is not legal advice for you or your company to use in complying with EU data privacy laws like the GDPR. The content on this page is meant only for educational purposes and to provide you with background information to help you better understand CYPHER LEARNING’s efforts to comply with the regulation.

References

  1. https://gdpr-info.eu/
  2. https://www.workplaceprivacyreport.com/2018/01/articles/international-2/does-the-gdpr-apply-to-your-us-based-company/
  3. https://gdpr-info.eu/art-4-gdpr/
  4. https://www.gdpreu.org/compliance/fines-and-penalties/
  5. https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
  6. https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/
  7. https://www.i-scoop.eu/gdpr/right-to-data-portability/
  8. https://www.itgovernance.co.uk/blog/transferring-personal-data-under-the-gdpr/

For more details about GDPR please visit https://www.eugdpr.org/.