GDPR is coming! Here’s how Docebo LMS Complies With the Regulation’s Requirements
Simply speaking, if you’re an LMS user and any of your learners (employees, partners, and customers) are located in the EU, you’ll have to make sure any data collection and processing activities performed within your LMS are compliant with the regulation, even if your organization isn’t based there. Non-compliance comes with a big price tag, so it’s in your best interest to partner with an LMS provider that makes GDPR compliance easy and effective.
Docebo is fully aware of the GDPR requirements and restrictions and will be fully compliant with the regulation when it comes into effect on May 25. We’ve also implemented the mechanisms necessary to make our users’ GDPR compliance is as simple as possible.
How Personal Data is Defined Under GDPR
The GDPR’s purpose is to strengthen the rights of EU citizens with regard to how their personal data is used and how it’s protected. The legislation introduces robust requirements that elevate and harmonize standards for data protection, security, and compliance across the EU.
Personal data is any information that relates to an identified or identifiable natural person (data subject), such as:
- identification number
- location data
- online identifier
- other specific factors (related to the physical, physiological, genetic, mental, economic, cultural or social identity of that person)
Data Controller vs. Data Processor
- The Controller is the natural or legal person, public authority, agency or other body, alone or jointly with others, determines the purpose and means of the processing of personal data.
- The Processor is the natural or legal person, public authority, agency or other body that processes data on behalf of the controller
The purposes and means of processing any personal data related to end-users of Docebo’s learning platform are defined by its customers, which are Controllers, and therefore must inform their end-users of any data that’s going to be collected and how it will be used.
In this instance, Docebo would be considered a Processor, as we are providing the use of the learning platform and a means by which our customers can collect their users’ data. Docebo’s customer data processing activities are governed by the company’s Data Processing Addendum, which satisfies the requirements of GDPR, Article 28.
Controllers and Processors are also required to implement relevant technical and organization measures (TOMs), including:
- Personal data pseudonymization and encryption
- Ongoing confidentiality, integrity, availability, and resilience of processing systems and services
- Restore availability and access to personal data in a timely manner in the events of a physical or technical incident
- Process for regularly testing, assessing and evaluating the effectiveness of TOMs
Data Portability Solutions and Management Tools
GDPR intensifies the standard for disclosures when obtaining an end-user’s consent, which must be “freely given, informed and unambiguous.”
Any LMS user requesting data subject consent must use clear and plain language (Docebo allows you to customize your data request forms) that is “clearly distinguishable from other matters.” As a data controller, you need to prove that any of your data collection processes comply with and follow GDPR processes in any cases in which data subjects are asked to share their personal information to access your LMS.
While familiarizing yourself with the in’s and out’s of this unprecedented data privacy legislation is paramount, it’s incredibly important to understand how any changes could affect your learning management system, as well.
Among the many new rights for data subjects in GDPR, the following will apply to your LMS and you should know them well to ensure your compliance (and to avoid the big fines that come with non-compliance):
- The right of access: Data subjects will now have the right to access any personal data and to be aware of and verify the lawfulness of that data’s processing. For example, if one of your learners has been taking courses with you for years and suddenly wants to know what kind of information your LMS holds about them, you must provide that learner all data you’ve collected about them (such as training records or performance evaluations).
- The right to rectification: Gives that learner access to their collected data if they notice something is inaccurate or incomplete. For example, a learner may be able to prove that they’ve completed a required e-learning course, but that achievement isn’t recognized by the LMS. As a data collector, you must give that learner the ability to rectify the data if it’s proven incorrect. If their data has been shared with a third party, you must also inform them that the data needs updating.
- The right to be forgotten: data subjects can have their information removed or deleted if it’s proven that there is no compelling reason for a business to continue processing any of that information. For example, if a learner requests their data to be deleted because it is no longer useful to its original purpose, the collector must oblige can request for their data to be removed or deleted when there is no compelling reason for a business to continue processing that information.
- The right to data portability: Data subjects can obtain and reuse their personal data for their own purposes across different services to move, copy or transfer personal data from one IT environment to another safely and securely, without hindering usability. If a learner wants to reuse any data they’ve given to you elsewhere, you are required to provide that data to them. It must be provided in a structured and commonly used and machine-readable format (such as a CSV file) and can be exported directly from the LMS.
- The right to object: GDPR gives LMS users the right to object to having any personal data used for direct marketing, profiling or processing for research or statistics. That means you must give LMS users a mechanism to opt-out of marketing communications any time you request their personal data. That right must be clearly presented the first time a user is asked for their personal information and outlined in your privacy notice. This means you will need to include explicit mentions of any other reasons for collecting personal data on your LMS.
- The right not to be subject to automated individual decision-making resulting in decisions having legal or significant effects: Any processing activity that is wholly automated and leads to decisions that impact individuals in a significant way is prohibited unless such processing can be justified on one of three bases set out as exceptions under Article 22(2), namely: performance of a contract, authorised under law, or explicit consent. For example, a learner is required to keep any compliance training up-to-date as a requirement of their employment with your company. It comes time to renew their compliance certification and your system recognizes that the learner has failed to complete that training and automatically terminates that learner’s employment. Under GDPR, the learner could challenge the decision and request human intervention since the decision can have significant implications to their life.
The Handling of Personal Data Under GDPR
Under GDPR, a Data Subject is an identified or identifiable person to whom any personal data is related.
the Data subject is the identified or identifiable natural person, that is the individual, to whom personal data are related.
The adoption of such measures must be evaluated and contextualize taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
The GDPR introduces also the of the concepts ‘Privacy by Design’ and ‘Privacy by Default’.
- Privacy by Design holds that organizations need to consider privacy at the initial design stages and throughout the complete development process of new products, processes or services that involve processing personal data.
- Privacy by default means that when a system or service includes choices for the individual on how much personal data he/she shares with others, the default settings should be the most privacy-friendly ones.
Moreover, Controllers must report personal data breaches to the relevant supervisory authority within 72 hours. If there is a high risk to the rights and freedoms of data subjects, they must also notify the data subjects.
How Docebo LMS is GDPR Compliant
Docebo maintains an information security management system (“ISMS”), which is ISO 27001 certified.
Within this framework, Docebo has defined a comprehensive information security program, which includes controls implemented in accordance with ISO 27001 and AICPA SOC 2, which ensures Docebo, as a service provider, securely manages its customer data and that any security controls the company has implemented are effective in protecting user data, providing adequate coverage of GDPR Article 32.
Docebo gives its users the ability to achieve GDPR compliance with:
- LMS functionalities and tools
- Compliance Framework
- ISO 27001
- AICPA SOC 2
- EU-US and Swiss-US Privacy Shield
- Data Protection Addendum
GDPR: The Bottom Line
It’s as simple as this: if you use Docebo and operate in the EU (or have learners in the region) you’ll have the tools you need to comply with GDPR. But, while our platform gives you the tools you need to meet GDPR requirements, you’ll still need to use those tools properly to ensure your own compliance and making sure your practices align with the regulation.
Have any questions? We’re committed to making sure our customers have the answers to any questions they might have about GDPR and their compliance within our learning management system (LMS).
Disclaimer: The information on this page is not legal advice for you or your company to use in complying with EU data privacy laws like the GDPR. The content on this page is meant only for educational purposes and to provide you with background information to help you better understand Docebo’s efforts to comply with the regulation.