GDPR, The LMS & You

On May 25, 2018 the European Union’s General Data Protection, better known as GDPR went into effect. While most European organizations are probably aware of it and are considering how to ensure compliance, many organizations in the United States and other nations will also need to consider their exposure to the GDPR. For example –

• Do you have students that apply for and enroll from within the EU and potentially access your LMS from the EU (maybe during breaks)?
• Do you run study abroad programs where users are traveling or living in the EU and accessing your LMS?
• If you’re a company – do you employ any EU citizens or have any staff traveling or living in the EU or have any customers that you provide training to in the EU?

If you do any of the above, then the GDPR most likely applies to you. Luckily Totara 11 and Moodle™ 3.5 both came out ahead of time and provide technical support for the GDPR requirements. In many cases, though, the requirements for the GDPR are policy and process based. Open LMS can help you think through the implications specific to your organization, but Moodle™ has posted a few resources to help organizations start thinking about what they might need to change. You can get the full list on their wiki, but a few highlights are listed below.

• Do you have users accept a site policy? If so, does it cover all the required items?
• Do you have a list of all third parties that have access to any data related to your users?
  • Such as LTIs, portfolios, plagiarism, repositories, authentication systems, hosting companies, etc.

GDPR and Learning Management Systems

The primary GDPR changes in Moodle™ and Totara Learn revolve around supporting the right to be informed about how your data will be used, access to your data, and the ability to request that your data be erased. The details differ a bit between Totara and Moodle™, but in general they have both added new and more flexible ways to add privacy/site agreement statements that users must review and acknowledge, the ability for users to request a copy of their data, and a process for users to request their accounts be deleted (along with all data).

GDPR in Moodle™

Moodle™ added a new section to the Site administration area called Privacy and policies to contain most of this functionality. From here you can set a wide range of options, such as whether you want to do age verification prior to account creation, create policies (site, privacy, third party and “other” are your choices of types), set different policies for authenticated users versus guests and review who has or hasn’t agreed to your policies.

Your end users also get some additions to their profile pages. Under Privacy and policies Moodle™ end users will be able to contact the Data Protection Officer (DPO) to request a copy of their data or their account/data to be deleted. They can also review the status of data requests and review all policies and agreements that are currently active and whether they accepted the policy or not.

GDPR and Totara Learn

The features in Totara are similar but are located in slightly different spots. Most of the GDPR related functions are either under the Users menu (a new option “User data management”) or in the Security menu under “Site Policies.”

What to do about GDPR

As a reminder – simply upgrading or installing plugins to make your Moodle™ or Totara site technically capable of being GDPR compliant isn’t enough. GDPR compliance is more about a privacy/user first policy and procedural shift. This requires reviewing all aspects of your process, from how users get into your site in the first place, to what you do with the data you collect, how your site is secured, and how you disclose these measures and data to users. *Current clients please contact support for more details specific to your installation or to schedule an upgrade. Determining your exposure and risks to GDPR compliance is a complex issue. If you need support, reach out to the experts at Open LMS so you remain compliant.