GDPR stands for General Data Protection Regulation and is an EU privacy law that went into effect on May 25th, 2018 [1]. GDPR applies to all businesses with a nexus in the EU or that target an EU audience in their marketing materials [2].
GDPR is designed to protect the sensitive personal information of end users, such as passwords, addresses, financial information, medical records, and criminal history. It also extends to other personally identifying information such as name, photo, government ID numbers, and IP address. [3]
Businesses have a financial incentive to follow the law. Suppose a violation of GDPR is reported to a business and it does not take timely action to correct the violation. In that case, it can be subject to fines of up to 20m Euros or 4% of total revenues, whichever is greater. Fines depend on the severity of the breach and on whether the company is deemed to have taken compliance and regulations around security in a serious enough manner. [4]
GDPR has a joint responsibility model that’s split between a “Data controller” (a company that provides a service to end users) and a “Data processor” (a company that provides a service to data controllers which includes storing and processing of end user data). [5]
A data controller relies on its data processors to take good care of the end user data. If a data controller hears from a data processor that there has been a breach and the breach is serious enough, the data controller must inform their end users within 72 hours. [6]
A data controller must also provide end users with a clear description of how they will use their data and get an explicit consent for this usage. A data controller must also provide a way for end users to download their data in a portable way, withdraw their consent, and for removing themselves (and their data) from the service. [7]
A data processor stores end user data on behalf of the data controller and must ensure that this data never falls into the wrong hands. Data processors must follow industry best practices including encryption of passwords, PCI compliance, and ensuring the security of data transferred to/from the EU. [8] In the case of a breach, a data processor must inform the data controllers in a timely fashion. A data processor may themselves use third party services to store and process end user data, and in this case the data processor must ensure that these third party services are also GDPR compliant.
HLS.Today is primarily a data processor, since we offer our cloud-hosted LMS to organisations. Those organizations are data collectors, since they sign up end users and those users enter data into our system. To be compliant as a data processor, we do the following:
HLS.Today is also secondarily a data controller since we require the person who initially signs up for our service to enter some data such as their name and email address. To be compliant as a data collector, we do the following:
HLS.Today products include a wide variety of optional integrations with third party products via our App Center, and most of these party systems can be considered as a data processor. We do not warrant that these third party products are GDPR compliant, and expressly disclaim any liability for damages which may occur if those third party products are breached.
We also expressly disclaim legal responsibility for having to notify our data collectors or end users if third party systems that we provide optional integrations with via our App Center are breached. Our customers are expected to have a separate contract with each third party system that they integrate with HLS.Today products, and we recommend that our customers contact each of these third party providers to see if they are GDPR compliant.
The information on this page is not legal advice for you or your company to use in complying with EU data privacy laws like the GDPR. The content on this page is meant only for educational purposes and to provide you with background information to help you better understand HLS.Today’s efforts to comply with the regulation.
For more details about GDPR please visit https://www.eugdpr.org/.