GDPR: Get ready

In this new vlog, Learning Consultant 'Seffy' Sefton-Smith takes a look at the incoming GDPR legislation which will change the way all organisations use personal learner and customer data.

An expert on designing award-winning learning solutions, Seffy looks at how the new regulations will affect the nuts-and-bolts of digital learning design:

For those who'd rather read than watch, here's a transcript:

You've probably heard about the new EU data privacy laws that will be coming into force in less than a years' time.

There's no doubt GDPR is going to shake things up, redefining what's classified as personal data to include things like biometrics, IP addresses, social data, and more. It's going to give us more rights around how our information is collected and used, and control over accessing that data – and wiping it if we wish.

And for businesses the stakes are high – there are some pretty hefty punishments if you're not compliant.

OK, so some of you might have switched off as soon as I said the compliance word – it's not generally something that fills people with excitement. But I think there could be some really interesting opportunities to come out of this, notably around transparency and how we can build trust with our clients, partners, and in our case, end-learners.

If you forget about the compliance angle for a moment and flip it around to thinking about your client, and ultimately the end-learner. One of the core concepts behind the new legislation is that of 'privacy by design' or 'by default'.

Now we've spent recent years including more and more live data within our solutions to personalise learning, and add gamified or social features. Inevitably, there's a lot of data being captured behind the scenes. So as designers the new legislation will definitely pose some challenges we'll have to work through.

Let's think about something like a pre-joiner portal for new starters. Suppose we set them up with access to a site where they can find out about their new employer, take some e-Learning, perhaps there are games or other activities where they can earn points, and a community feature where they can upload their photo, take part in polls, and start building connections with their colleagues.

So what happens when that employee leaves the company? Or perhaps they never even started after all?

What happens to their contributions – the community posts, the live data in scoreboards and polls? Perhaps rather than removing it altogether we can carry out pseudonymisation (if you can say it!) where data is masked so it can't reveal the individual's identity, but it can still be used.

And what if that individual doesn't give their consent for their data to be used in the first place – how can we design a solution which still gives them a meaningful experience, even if they've actively opted out?

There will be plenty to think about, and this is where shifting our thinking to 'privacy by default' will help us design solutions where data privacy is baked-in from the start – and ultimately the end-user experience is improved.

This will mean mapping out all the touchpoints where data is gathered against the learner journey – where it's held, and who can access it. We'll need to check we're not collecting more data than we actually need. We'll need to make sure that the learner is made aware of how their data's being collected and used, and is asked for their direct consent. And we'll need to give them a channel to request their data or ask for it to be removed.

Now these are things which we would certainly have considered before, but often as an afterthought. Getting them right from the start will help us reassure our clients and our end-learners that we respect and care about their data privacy.

So, GDPR is more than just a box-ticking exercise. Above all else, it's a way of assuring your customers and partners that you value their data privacy – build their trust and build your business.

That's the concept. And putting it into practice will involve rolling up our sleeves and getting on with some substantial tasks, such as raising awareness with your staff and carrying out detailed process training – the nitty gritty around:

  • How you put your policies into action
  • When and how you delete data
  • How you ask for consent
  • How you respond to an information access request.

This will be unique to every business and we can design a bespoke learning solution to help.

That's what we do, and we're really excited by the opportunities GDPR presents for rethinking personal business data.

If you are too, or if you’d like to chat to me or one of our experts about any of the things in this video… then get in touch!