WHAT IS GDPR?

The European Union (EU) in the month of April 2016 brought into effect what can be called as Europe’s biggest IT reform and compliance yet. It is aimed at organizations globally and pertains to information being collected on EU citizens. The GDPR  framework puts its emphasis on why information on EU citizens is collected and how organizations plan to use it. It is the most significant piece of legislation to be introduced in the last 20 years, aiming at protecting the privacy of EU citizens. What is important to look out for is the fact that organizations found to be non-compliant with the GDPR stand to be heavily penalised.

WHO IS GDPR APPLICABLE TO?

GDPR is applicable to all organizations that are present within the EU and carry out active business within its territories. It is also applicable to all businesses which are not directly present within the EU but actively carry out business with members of the EU, or businesses which consider members of the EU as clients and business associates. This applies to any business which collects data of EU members for the process of KYC. GDPR also applies to all the people residing within the limits of the European Union, irrespective of their citizenship.

KEY TERMINOLOGIES OF GDPR

When attempting to understand GDPR, its implications, and compliance requirements one must first understand the key terminologies that constitute its framework and define essential elements of the legislation.

  1. Data Subject: Customer or User.
  2. Personal Data: The data related to the user. This data is defined as the following under the guidelines of the GDPR:
    • Name
    • identification number
    • location data
    • online identifier
    • other specific factors (related to the physical, physiological, genetic, mental, economic, cultural or social identity of that person)
  3. Consent: An expressed permission given by an individual to allow the controller to collect and process personal data.
  4. Data Processing: Operation performed on the user’s personal data, whether automated or manually.
  5. Profiling: Processing of personal data for analysing or predicting the user’s behaviour or preferences.
  6. Data Controller: A person within the organization that determines the purpose, condition, and means for processing of user’s personal data.
  7. Processor: An entity that processes the data on behest of the data controller.
  8. Supervisory Authority: The public authority established by the member state, similar to UK’s Information Commissioner Office (IFO).
  9. Data Protection Officer: A person within the organization who ensures that the norms of GDPR are followed at each level of handling user’s data.

THE RIGHTS THAT GOVERN GDPR / RIGHTS AWARDED TO THE USER

At the core of the GDPR framework are the rights that protect the user’s (EU members) information. It is essential to understand what rights a user has in order for an organization to ensure they are GDPR compliant. Organizations at all times are to acknowledge the rights a user has, failure to acknowledge and present rights to the user may result in non-compliance attracting heavy penalties.

These rights are:

The right of access: Individuals have the right to access their personal data and supplementary information and to be aware of and verify the lawfulness of the processing

The right to rectification: The data subject has the right to request rectification of inaccurate personal data concerning him or her. The data subject also has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

The right to restriction of processing: Allows individuals to obtain from the controller restrictions on processing their data when some conditions apply.

The right to object: Allows individuals to object to processing of their data for any of the following reasons:

  • Direct Marketing
  • Scientific Purposes
  • Historical Reasons
  • Statistical Reasons

Unless the processing is necessary for the performance of a task carried out for reasons of public interest.

The right to not be subject to automated individual decision-making resulting in decisions having legal or significant effects: Any processing activity which is wholly automated and leads to decisions that impact an individual in a significant way is prohibited, unless, such processing can be justified on one of three criterias set out as exceptions under Article 22(2),namely: performance of a contract, authorised under law, or explicit consent.

The right to data portability: Allows individuals to obtain and reuse their personal data for their own purposes across different services, to move, copy, or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

The right to erasure (‘right to be forgotten’): This principle dictates that an individual can request for their data to be removed or deleted when there is no compelling reason for a business to continue processing that information.

HOW IS ABARA GDPR COMPLIANT?

Abara is aware of the GDPR requirements and restrictions and is completely compliant with the regulation as of June, 2018. The method and consent of collecting data and processing it is solely provided by the customers who act as controllers. The collection and processing of data can be governed by a contract between the customer and Abara LMS.
Abara gives its users the ability to achieve GDPR compliance with:

  • LMS functionalities and tools
  • Compliance Framework
  • ISO 27001

Abara LMS when used in the EU (or have learners in the region) will have the tools needed to comply with GDPR. While
Abara gives you the tools needed to meet GDPR requirements, they must be used effectively to ensure your own
compliance and ensure your practices align with the framework.

A. Terminologies

Listed are certain terms that you will come across in the following description, so it is correlated as shown
below.
Sr. Nos.: Terms as per GDPR Denotes

  1. Data Subject: Customer or User.
  2. Personal Data: The data related to the user.
  3. Data Processing: Operation performed on the user’s personal data, whether automated or manually.
  4. Profiling: Processing of personal data for analysing or predicting the user’s behaviour or preferences.
  5. Data Controller: A person within the organization that determines the purpose, condition and means for processing of user’s personal data.
  6. Processor: An entity that processes the data on behest of the data controller.
  7. Supervisory Authority: The public authority established by the member state, similar to UK’s Information Commissioner Office (IFO).
  8. Data Protection Officer: A person within the organization who ensures that the norms of GDPR are followed at each level of handling user’s data.

B. Principles of GDPR

  1. The data that is collected should be used for specific and explicit purpose(s) only i.e. the reason for which the data has been captured.
  2. The data that is captured should be accurate and maintained.
  3. How long the data is to be retained, is needed to be specified.
  4. Data must be processed lawfully, transparently and fairly.
  5. Data must be processed securely and must be able to prove it.
  6. Data that is held must be adequate, relevant and limited to what is needed.

C. Penalties

  1. Lower Level Infringements: 10 million Euros or 2% of the worldwide annual revenue.
  2. Higher Level Infringements: 20 million Euros or 4% of the worldwide annual revenue.
  3. Organization is accountable and can be penalized for breaches.

D. Data Subject Rights (User Rights)

  1. Data Portability
  2. Data Rectification
  3. Data Erasure
  4. Profiling and Fairness
  5. Data Access
  6. Restricting the processing of data
  7. Objecting to processing of data
  8. Information Privacy

E. Data Protection Officer (DPO)

i. Need for DPO:

  1. For processing carried by Public Authority.
  2. Monitoring of large scale of data.
  3. Large scale processing of special category of personal data.

ii. Circumstances where there isn’t any need for DPO:

  1. There is no processing of special category of Personal Information.
  2. Small group of data subjects.
  3. No need for data monitoring.

iii. Role of a DPO:

  1. Assisting the Data Controller and Data Processor, to comply with the data protection law and avoid risks in processing the data.
  2. SPOC for handling all sorts of data protection queries.
  3. Monitoring of the GDPR compliance.
  4. Inform and advise on the data protection aspects.
  5. Determine the impact of the Data Protection Impact Assessment (DPIA).
  6. Promoting the culture of data protection within the organization.
  7. Thoroughly understanding data processing and data security.
  8. The DPO reports to the senior/top management.
  9. The Data Processing Officer is supposed to ensure that all the given principles of GDPR are adhered to.

F. Privacy and Transparency

  1. Transparency in accessing and fairness in holding personal data.
  2. Privacy Notes and T&C to make it clear and easy for the customer to understand. It should be non-ambiguous.
  3. The details of the Data Controller and contact information should be precisely specified.
  4. Similarly, the DPO’s details and contact information should be precisely specified.
  5. The data processing activities should be done legally.
  6. Legitimate interest of the Data Controller.
  7. The data that is either held or processed should be categorized. Also, it needs to be specified, whoexactly will get that data and why?
  8. Safeguarding of the data that is either held or transferred to another country.
  9. Time duration for retaining the data i.e. the time required for retaining must be mentioned and should be justified if questioned.
  10. Data Subject (user) can withdraw consent and it should be easily done the way as it was done while giving consent.
  11. The user should be notified on how and whom to approach, if they want to raise their concerns, queries or grievances.
  12. The legal and contractual obligations should be disclosed, in order to provide the data.
  13. Similarly, the legal and contractual obligations for not providing the data should also be disclosed.

G. Data Holding/Storing

  1. What data has been captured, stored and processed and the reason for each of these activities.
  2. The purpose for holding the data must be documented.
  3. Moreover, the source from where the data has come should also be documented.
  4. DPO should provide a template for recording the information.
  5. Recording the data, if it is required to be given to any third party for processing.
  6. The data lifecycle should be present, which shows the source of data, how it comes into system, moves through the system and finally exits from the system.
  7. Should be able to prove the compliance to the 6 principles of GDPR.

i. Checklist (1):

  1. When and from where has the information been obtained?
  2. The purpose for using the information.
  3. Is the captured information whole or is it partial?
  4. Has the user given explicit permission (consent) to hold and process the data for the purpose that it was captured for in the first place.

ii. Checklist (2):

  1. Is the data securely held?
  2. Has the data been passed on to others? i.e. either within or outside the organization.
  3. Are there legitimate rights to pass that information on to others?
  4. Is the action justified in relation to the processing of the data?
  5. Are all the principles and compliances of GDPR met?

H. Processing Data Lawfully

  1. Consent – The Data Subject (user) must have given consent for data to be captured and used for specific purpose. Provision of consent should be as simple as withdrawing the same.
  2. Processing – Processing is required when there is an actual need to do so.
  3. Legal Obligation – This may be required to process data meant for a legal reason.
  4. In Public Interest – This may be required for collecting data for public service planning.
  5. Documentation – All the evidences must be documented.

I. Subject Data Access Requests (SAR)

  1. Right to access – An user should have the rights to obtain confirmation for processing their data, access to their data and other supplementary information.
  2. Does the provision for Subject Access Request attract fee? If yes, it is necessary to provide information free of cost. Reasonable fees to be charged for repeated requests. But, this does not mean that the charges are to be applied for all subsequent access requirements.
  3. Timeline for the SAR – Information must be provided without delay and within one month of receiving the request. The time could be extended, if the request is complex or multiple. The extension of time should be informed to the user within one month of receiving the request along with the reason for the extension.
  4. Providing Information – To check the identity of the person, who has made the request. The information, if possible, could be provided remotely too, by providing access to a self-service system, but without compromising on the security, rights and freedom of the other users.

J. Rectification and Erasure of Data

  1. Individuals are entitled to have their personal information rectified if it is found to be inaccurate or incomplete.
  2. The user’s request for rectification must be responded within one month of reception.
  3. This could be extended to two months in case of complex rectification.
  4. If no action is taken by the company, then the user has the rights to approach the higher supervisory authority.
  5. The ‘Right to Erasure’, also known as ‘Right to be Forgotten’.
  6. Also, once the user withdraws the consent, the data should be erased immediately.
  7. The data elimination could also take place owing to an user objecting to the data procession.
  8. The data elimination can also happen if the data is unlawfully processed, or due to non-compliance with the legal obligation.

K.Restricting Data Use

  1. When the data processing is restricted, the company still has the authority to hold the data but cannot process it.
  2. If the company has third-party ties, then the company is responsible to inform the third parties, about the restriction in processing the data.
  3. In all circumstances, it is necessary for the company to keep the customer informed on the restriction that has either been introduced or revoked.

L. Right to Object

  1. The user has the right to object and this must be informed to them in the initial communication and the same must be mentioned in the privacy notice too.
  2. This must be explicitly brought to the attention of the user and should be presented clearly and separately from the other set of information.
  3. The user has the right to object the processing based on the legitimate interest or in favor of public interest.
  4. The user also has the right for direct marketing, scientific purpose, historical researches and statistics.

M. Data Profiling

  1. Profiling is the procession of personal data to evaluate personal aspect about an individual’s performance at work, economic situation, health, personal preferences, interest, behavior, location and movement.
  2. It is the right of an user, to not to be subjected to a decision, especially when it is an automated processing, or if it leads to a legal or significant ramification for an individual.

N. Data Portability

  1. The right to data portability allows an individual to get and reuse their personal data for their purposes across different services.
  2. This could be done by moving, copying, or transferring personal data from one IT environment to another without any hindrances in a secure manner.
  3. Once the user makes a request for the same, it is necessary to transmit the data from the existing organization to the other organization; with the prerequisite that it is technically possible.
  4. If the user makes a request for data portability, then it must be responded to without any delay and that too within one month. Owing to the complexity of the request, however, it could be extended to a maximum period of two months.

O. Transferring of data outside the EU

  1. Personal data may be transferred outside the EU in compliance with the condition for transferring the data, as per the norms laid by GDPR.
  2. The data to be transferred to a specific country or territory must have adequate level of data protection.
  3. The European Commission approves the list of countries that observe adequate level of data protection. This list is reviewed by the European Commissioner every 4 years.
  4. The commission keeps on monitoring the ongoing development happening in the approved countries and international organizations for such development can impact the decision to be taken by the commissioner.

P. Data Protection Impact Assessment (DPIA)

  1. The DPIA is a tool, which can help organizations identify the most effective way to comply with their data protection obligation and meet the expectation laid by GDPR mainly in terms of privacy and protection.
  2. DPIA is mainly triggered when a new technology is introduced or if there are certain amendments made to the existing infrastructure or at the inception of a project.
  3. The triggering of DPIA will help us make informed decisions about the accountability of data protection and risks that are associated with it.
  4. It helps in identifying and mitigating risks and plans for implementing the appropriate solutions to the risks that are identified and assess the possibility.
  5. The Data Controller (DC) is responsible for ensuring that the DPIA is carried successfully.
  6. DPIA could be triggered by internal expertise or external consultant should be hired.

Q. Breach Notification

  1. In case of any breach, it is necessary that the organization notifies the Supervisory Authority, especially if it is likely put the rights of the users at stake.
  2. The notification to the users will be triggered, when the rights of the user are at risk.
  3. The notification is to be sent within 72 hours of the organization becoming aware of the incident to the supervisory authority and to the users.

R. GDPR implications based geographical location

  1. The GDPR applies to all the companies, institutions and organizations that are based within the European Union.
  2. This applies to all the people residing within the limits of the European Union, irrespective of their citizenship.
  3. The companies, institutions and organizations that are outside EU, but are providing any sort of services to the European nations, are liable for complying with the norms of GDPR.
  4. Companies that do not store user data, but process data on behalf of some other organization(s), are also required to follow the norms of GDPR.

S. Awareness and Training

  1. Companies must create awareness among employees regarding the key GDPR requirements by conducting awareness program for the employees; this will make them aware of their responsibilities related to the protection of data and identification of data breaches.

1. What is GDPR?

The European Union (EU) in the month of April 2016 brought into effect what can be called as Europe’s biggest IT reform and compliance yet. It is aimed at organizations globally and pertains to information being collected on EU citizens. The GDPR framework puts its emphasis on why information on EU citizens is collected and how organizations plan to use it.

2. Is Abara LMS GDPR Compliant?

Abara is aware of the GDPR requirements and restrictions and is completely compliant with the regulation as of June 2018. The methods and consent of collecting data and processing it are solely provided by the customers. The collection and processing of data can be governed by a contract between the customer and Abara LMS.

3. What does Abara do with your information?

As per GDPR guidelines Abara does not sell or monetize your personal data in any way. Abara does not use your information to direct selective advertisements, promotional offers, political, philosophical or religious messages towards you. Furthermore, only the information that is truly important for the functioning of the LMS is collected with prior opt-in and consent.

4. Why does Abara store and process any personal data?

Abara does not need or process any personal data. Furthermore, any data loaded onto the platform can be protected and governed by a contract between the controller and Abara. However, for a digital learning platform such as Abara, the ability to track and identify learners is important in order to provide sensible reports and outputs for specific learners or a group of learners.

5. What data does Abara store and process?

As a data processor Abara stores and processes data of learners who are registered on the LMS as current and future users. These people include administrators, customers, and users(learners). The exact type of information depends on the specific reports and analytics that has to be generated for the customer’s use. The type of data that is required is email, address, first names, and last names. In addition to this, details regarding the learner’s job roles, department, location, and other information fields that the customer deems as necessary to be included in the reporting and analytics feature are collected, this is strictly on the customer’s request.

6. Does Abara store any sensitive data?

No. Abara requires information that is important to the basic working of the Learning Management System, i.e.: name, last name, email id, job role, department, location, and other information that the customer deems important as a part of the reports. Information on the ethnicity, political views, sexual preferences, biometrics, philosophical and religious views are deemed as irrelevant and not collected by Abara.

7. How does Abara adhere to the GDPR requirements?

Abara follows a strict set of security measures which ensure the utmost protection of all information stored on the learning management system. For reference please view Security Applications. Furthermore, Abara does not transfer or share any personal information with third-party or external organizations. For citizens and people working within the European Union, all information is stored on servers present within the European borders.

8. Who is GDPR applicable to?

GDPR is applicable to all organizations that are present within the EU and carry out active business within its territories. It is also applicable to all businesses which are not directly present within the EU but actively carry out business with members of the EU, or businesses which consider members of the EU as clients and business associates. This applies to any business which collects data of EU members for the process of KYC. GDPR also applies to all the people residing within the limits of the European Union, irrespective of their citizenship.

To further find out about the (GDPR) requirements and guidelines followed by Abara LMS refer to the document: GDPR Guidelines.