Every day, most of us trust some of our personal data to the debatably safe hands of the world wide web. Everything from conducting private conversations to sharing sensitive credit card information is now frequently done online. With these developments have come a growing need for data protection regulations.
In the US, people commonly consider this an issue of consumer safety rather than a basic right. The E.U., on the other hand, has definitively ruled that privacy is important for everyone. On May 25th, 2018, they began to enforce the General Data Protection Regulation, or GDPR. This new regulation sets stringent rules for data protection that anyone in EdTech MUST know about, and take the proper actions to uphold.
The primary goal of GDPR is simple - to “protect personal data from unrestricted collection and exploitation.” While you can read the full regulation here, the basic requirements are straightforward. GDPR requires:
In short, companies must make sure users know their rights and consent to the use of personal data and use the data securely and responsibly. While the regulations are straightforward, enforcing them can prove a challenge.
If you’re a company that processes the personal data of EU residents, you must legally comply with GDPR. This includes almost every institute of higher education, but many are worried that American universities are unprepared for the shift. Many people were still unaware of the existence of the GDPR, let alone prepared to comply.
Many more in EdTech are under the false belief that the policy doesn’t apply to them. Unfortunately, if any of your users access learning materials while residing in or visiting Europe, GDPR applies to you. Compliance with the Family Educational Rights and Privacy Act is not enough either, as GDPR has several differences.
If you process the data of EU residents, even if it’s no more than users’ names and email addresses, and don’t comply with the GDPR, you can be on the hook for intimidating fines. The penalties fall within two categories depending on the infringement, but they range from 2-4% of a company’s revenue. Ouch!
The nuances of GDPR requirements mean that the effect on EdTech companies will depend on the nature of each company’s data usage. Specifically, it matters whether or not the company is considered a “controller” or a “processor.” A controller is defined as the individual, authority, or body that decides which data is collected, why, and by what means. Schools are an obvious example of this. The processor is a similar entity with one key difference. Rather than collecting data for their own purposes, the processor “processes data on behalf of a controller.”
In other words, if a school hires an EdTech company to track student outcomes, the school is required to meet GDPR standards while the processor - the EdTech company - would not be held responsible. While EdTech companies can get off the hook in these cases, there are likely others they cannot avoid. In the end, it’s always better to err on the side of caution and make the leap to GDPR compliance out of respect for your customers' personal data safety.
Beyond the risk of steep fines come other potential concerns with GDPR in EdTech. If institutes of higher learning are no longer able to provide EdTech platforms with such a large amount of user data, they may not be able to grow and evolve as quickly. Another worry is that obtaining consent to record data will become too time consuming for schools to consider it, making offline options more attractive. These effects are likely to hit EU countries the hardest, but hopefully the market will once again rise after schools and universities adjust to the new policies.
At first, complying with GDPR can be overwhelming. While it does require a company-wide effort to coordinate changes in policy, the adjustment should be thought of as an opportunity to improve data management practices and to best serve your customers. You wouldn’t want your personal data to be sold or misused, would you? GDPR is aimed to protect your users from the same risks, leading to a better, safer, and more private user experience.
While the E.U. is unlikely to target minor transgressions in small American companies, GDPR should be thought of as the future of data protection policies. In other words, it’s better to apply them now than to risk issues down the road.
Gutenberg’s privacy policy is a prime example of how small, company-wide changes can align your policies with GDPR standards. Policy changes should start from the top down, examining what data is collected and where, and establishing a plan to close any gaps in compliance. It’s also advised to ensure all employees understand the privacy policy, who is permitted to access personal data, and who to contact if any breaches in policy occur. Other important steps to take include reminding employees to create strong passwords, keep any company devices locked and private, and maintain confidentiality when working outside the office.
Wherever you start in your journey to GDPR compliance, the time to check and double check your policies is now. Despite the hassle, applying the GDPR standard will help your company avoid hefty fines and develop a data protection policy your users can rely on.