GDPR will force businesses to spell out, in plain language, why they’re collecting a user’s data.
In an effort to harmonize its data privacy laws, the European Union (EU), after lengthy negotiations, in April 2016 finally adopted the General Data Protection Regulation (“GDPR”, EU regulation 2016/679), which will come into force on May 25, 2018. The GDPR is the most significant piece of European data protection legislation to be introduced in 20 years and is meant to protect and empower the data privacy of EU citizens and reshape how organizations that operate within the region approach user data privacy.
What is the GDPR?
The GDPR replaces and repeals the 1995 EU Data Protection Directly and is designed to significantly enhance the protection of personal data of EU citizens while increasing regulatory compliance on the organizations that collect or process personal data. It builds on the 1995 Directive’s requirements for data privacy and security, but includes a number of new provisions that bolster the rights of data subjects (users/citizens) and makes penalties for violations more severe.
Why is GDPR Happening?
GDPR is designed to enhance and harmonize data protection measures across EU member countries, including the UK. The regulation gives EU citizens ultimate control over their personal data and will force businesses to spell out, in plain language, why they’re collecting a user’s data and if it will be used to create profiles of their actions and habits. Consumers will also be given access to any data any company stores about them, have the ability to correct any inaccurate information and limit the use of decisions made by algorithms.
Does GDPR apply to my business?
GDPR applies not only to organizations that operate within the EU, but will also affect companies that undertake “real and effective” business activity there. Any business that conducts data processing that offer goods or service (by payment or for free) to EU citizens must comply with the requirements outlined in GDPR. The territorial scope of GDPR is far wider than the 1995 Directive as it also applies to non-EU businesses who market their products to EU citizens or monitor the behaviour of people who live in the EU. Even if your company is based outside of the EU, but you control or process data from EU citizens, GDPR applies to you.
What is Personal Data (as defined by GDPR)
Personal data is any information that relates to an identified or identifiable natural person (data subject)
An identifiable natural person is an individual who can be identified directly or indirectly by reference to an identifier such as a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Handling personal data under GDPR
Under the GDPR the Data subject is the identified or identifiable natural person, that is the individual, to whom personal data are related.
- The Controller is the natural or legal person, public authority, agency or other body, alone or jointly with others, determines the purpose and means of the processing of personal data.
- The Processor is the natural or legal person, public authority, agency or other body with processes data on behalf of the controller
The Controller will need to have in place an appropriate Data Processing Agreement with any third party that it shares data with where that third party is a Processor.
Controllers and Processors are also required to implement appropriate technical and organization measures (TOMs), including as appropriate:
- Pseudonymisation and encryption of personal data
- Ongoing confidentiality, integrity, availability and resilience of processing systems and services
- Restore availability and access to personal data in a timely manner in the events of a physical or technical incident
- Process for regularly testing, assessing and evaluating the effectiveness of TOMs
The adoption of such measures must be evaluated and contextualize taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
The GDPR introducts also the of the concepts ‘Privacy by Design’ and ‘Privacy by Default’.
- Privacy by Design holds that organisations need to consider privacy at the initial design stages and throughout the complete development process of new products, processes or services that involve processing personal data.
- Privacy by default means that when a system or service includes choices for the individual on how much personal data he/she shares with others, the default settings should be the most privacy friendly ones.
Moreover Controllers must report personal data breaches to the relevant supervisory authority within 72 hours. If there is a high risk to the rights and freedoms of data subjects, they must also notify the data subjects.
Individuals Rights per GDPR
Consent: The controller must ensure the data subject has given their consent. Data subjects can’t be forced into consent, or be unaware that they’re consenting to anyone processing their personal data.
GDPR expands on the 1995 Directive by stepping up the standard for disclosures when obtaining consent, which must be “freely given, informed and unambiguous.” Language must be “clear and plain” that is “clearly distinguishable from other matters.” Data controllers are also required to provide evidence their processes are compliant and followed in each case where data subjects are asked for their information.
- The right of access: Individuals have the right to access their personal data and supplementary information and to be aware of and verify the lawfulness of the processing
- The right to rectification: means that the data subject has the right to request rectification of inaccurate personal data concerning him or her. The data subject also has the right to have incomplete personal data completed, including by means of providing a supplementary statement
- The right to restriction of processing: allows individuals to obtain from the controller restriction of processing their data when some conditions apply
- The right to object: allows individuals to object to processing of their data based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), direct marketing (including profiling), and processing for purposes of scientific/historical research and statistics
- The right not to be subject to automated individual decision-making resulting in decisions having legal or significant effects: This means that any processing activity which is wholly automated and leads to decisions that impact on individuals in a sufficiently significant way is prohibited unless such processing can be justified on one of three bases set out as exceptions under Article 22(2), namely: performance of a contract, authorised under law, or explicit consent.
- The right to data portability: Allows individuals to obtain and reuse their personal data for their own purposes across different services, to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
- The right to erasure (‘right to be forgotten’): this principle dictates that an individual can request for their data to be removed or deleted when there is no compelling reason for a business to continue processing that information.
Is Docebo GDPR compliant?
Docebo is fully aware of the GDPR requirements and restrictions and will be fully compliant with the regulation when it comes into effect May 25.
Docebo is a software as a service (SaaS) platform for e-learning that provides an enterprise-wide cloud-based Learning Management System (LMS) designed to increase performance and learning engagement.
The purposes and means of the processing of personal data related to end-users of Docebo’s platform are determined by Docebo’s customers, which act as Controllers and must inform their end-users what’s going to be collected, and how and why that data will be used.
In this scenario, Docebo plays the role of Processor by providing the use of the LMS platform. Customer data processing by Docebo can be governed by a contract, as per Docebo’s Data Processing Addendum (DPA) in accordance with art. 28 of GDPR.
Docebo maintains an information security management system (“ISMS”), which is ISO 27001 certified. Within this framework, Docebo has defined a comprehensive information security program, including a full set of controls implemented in accordance with ISO 27001 and AICPA SOC 2 that provide an adequate coverage of GDPR Article 32, privacy by design and other GDPR requirements.
Docebo is compliant to EU-U.S. and Swiss-U.S. Privacy Shield and have got the relevant seal by TRUSTarc.
Moreover, Docebo provides GDPR compliance mechanisms within its learning platform.
Join Docebo’s Melvin Prada, Global Head of Customer Success, and Daniele Baudone, Chief Information Security Officer, on May 10 for a deeper dive into how Docebo complies with GDPR and the steps you might need to take to ensure your own organization’s compliance.
Disclaimer: The information on this page is not legal advice for you or your company to use in complying with EU data privacy laws like the GDPR. The content on this page is meant only for educational purposes and to provide you with background information to help you better understand Docebo’s efforts to comply with the regulation.
Register for our webinar on May 10 to learn more about the most significant piece of EU data protection legislation to be introduced in 20 years.