Your Moodle Website and GDPR Compliance – What You Need to Know (and Do)

Pinakin Vitkare

GDPR – General Data Protection Regulation has been a “hot topic” during our watercooler talks lately. As the deadline draws near, the discussions are mostly about 1) the changes to be done on our website, which are underway and 2) the confusion many clients have.

It’s been in my experience too. I’ve had a couple of clients ask me about the regulations and the changes they would need to do.

Which gets me to think, you probably have some questions too.

But first, let’s get past the “what’s, what”.

“What is GDPR? And why do I need to be GDPR compliant?”

On 24th May 2016 (yes, that long-a-time ago), The European Union brought the General Data Protection Regulation (GDPR) into force. These regulations will be directly applicable on 25th May 2018— two years after it was announced, but a month from now.

GDPR aims to protect the data of the people in the European Union.

It contains privacy rules and laws, to prevent individuals, businesses, educational institutions (that’s you), located in the EU, from collecting or storing user data without “explicit consent”.

With GDPR, users will have control over their personal data, a right to view it and edit it or delete it at will. They’ll also have to be fully aware of why their data is being collected and how it will be used.

“But GDPR is only for EU right? My website isn’t in Europe”

Yes. GDPR is applicable to the data of people in the EU, or businesses running in EU.

So, while it isn’t applicable when you collect data from your American or Asian students, it is applicable if you collect data of any European students or if your servers are in EU (which means it applies to all data stored on those servers).

If you’re 100% sure that your servers aren’t in the EU, and you do not (and will not) have any students, teachers, managers, customers, from the EU (because your website isn’t accessible in EU), you honestly do not have to bother.

However, considering the regulations are slowly going to be adopted by all the countries, it’s worth taking a look at the GDPR compliance checklist, to make sure you’re clear of any consequences.

(GDPR checklist – download option).

“I have students from Europe” OR “I don’t know if my students are (or will be) from the EU”

That’s okay.

Like you, most Moodlepreneurs are in this situation. As long as you make things clear to students or members as to why you need their data, how you plan on using it, and how they can view and edit it.

You can do this by sending a newsletter explaining an update in your policies, and making sure they fully understand the terms.

Not as simple as it sounds, but we’ll get to the details of what needs to be done.

“What happens if I break one or maybe a couple of rules?”

Not much, if you can afford it.

If a complaint is lodged, and you’re caught, you can face anywhere between €20 million to 2-4% of your global profits (whichever is higher).

Once again, not much, if you can afford it.

“What do I need to do?”

Coming to the most important question—”what do you need to do?’.

You need to make data collection as transparent as possible.

Let’s take for example student enrollment. When a student enrolls to your site, you have to clearly state your privacy policy— that explains in simple terms what the data will be used for (to send notifications, or course update information, or purchase offers).

It should also state when the information will be deleted (either on course completion, student unenrollment or profile deletion).

If you have a contact form, where you’re collecting personal information, you should have a disclaimer clearly stated.

Students, teachers, managers should have access to their student profile. They should be able to edit the information or should be able to completely delete it.

To understand the terms completely, here are a few resources you need to go through:-

• An overview of GDPR

• The final version of the regulation

• GDPR compliance and Moodle

The documents can be quite heavy to process, so I’ve tried to draw a few points from those and come up with some points of consideration below (the compliance checklist at the end can help too).

How to make your Moodle website GDPR compliant

To make your website GDPR compliant, you will need to take the following measures.

Step #1: Making the System (Moodle) GDPR Compliant

Moodle has up taken GDPR compliance and is working towards aligning the system with the regulations.

The simplest way to do for you to be compliant is to upgrade to Moodle 3.4.2+ and use the plugins:

• Policies plugin: updates the new user sign-on process. You’ll be able to define multiple policies and track user consents. You can also add versions to your policy documents and update them.
  
• Data privacy plugin: provides users a way to submit a request to retrieve their information from a few core Moodle plugins (Choice Activity Module, HTML Block, User Tours).
  Site administrators and privacy officers will have an option to process these requests.

These plugins will be standard in Moodle 3.5 (Moodle 3.5 expected to be released on 14th May 2018).

The lowest Moodle version compliant with GDPR will be 3.3, so if you’re using a lower version, and aren’t planning on an update, you need to reconsider asap.

With the upgraded Moodle version, you’ll have features included to manage new user onboarding and access to user data.

When it comes to onboarding new users, Moodle will take care of:

• Displaying your privacy statements (all the required ones)
• Listing and requesting consent for all 3rd-party systems/companies who may use/store the user data
• Creating a process to accept consent for minors using the system
• Capturing and recording each specific consent given by a user

Moodle will also take care of complying with data access requests by users:

• Retrieving all user data present on Moodle
• Erasing all identifiable data upon request
• Updating the data as required by the user

To find your Moodle version: Go to Site administration → Notifications

Using an Older Moodle Version

If you aren’t planning on updating Moodle, you’ll have to take care that you take all the measures Moodle would’ve handled otherwise:

• You need to clearly define a site or privacy policy and make sure users (existing and new) fully understand and accept the policy. They need to be aware of their rights and the method through which they can exercise these rights.
• If you have minor students (students below the age of 16 or 13 in some cases), you need to implement a process by which you accept the consent of a guardian for the site policy.
  Make sure only required amount of information is collected and stored for a limited time.
• If the data you’re collecting sensitive data (few examples include racial profiling, political opinion, religious views, biometric data, criminal convictions) that can be used against the users or can in anyway risk their freedom, you should perform a Data Protection Impact Assessment. You’ll need legal advice to accurately implement this.
• You must explicitly ask for consent for any data you collect for purposes other than user onboarding (for example, marketing and for internal research), or for data used by 3rd-party applications (Google analytics, LTI, Repositories (Google Docs, OneDrive etc), Authentication systems, Hosting systems etc).
  If data is collected anonymously, unambiguous consent can be used. You can use the Moodle Local Anonymise plugin to anonymize all the data.
• Follow best practices and procedures to ensure data security. Best practices include encryption of identifiable personal data, maintenance of confidentiality and integrity by processing systems, ability to restore access to personal data on technical errors, use of security protocols (https://), updating systems on regular basis to ensure security, keeping personal data only for the required (or limited) duration.
• In case of data breaches, you need to notify affected users within 72 hours, and let them know if personal data has been disclosed.
• You should provide an option for Moodle users to request their personal data (to be viewed, edited or deleted). The process for the same, should be mentioned in your site’s policy.
  This can be through the user profile or an explicit request could be sent and handled via email.
• You need to implement the “Right to be forgotten” policy, where a user has the right to request deletion of identifiable and traceable personal data.
  This can be taken care of automatically upon course unenrollment or profile deletion. Records of personal data can be obtained from the “Site Administration -> Reports -> Logs”.

If you have more than 250 employees, you need to appoint a Data Protection officer (could also be an existing employee) to manage IT processes, data security (deal with cyber-attacks), and to ensure smooth operation of the business and processing of sensitive personal data.

Using 3rd-party Plugins

If you’re using 3rd-party plugins (or themes), make sure those are GDPR compliant as well. If you don’t know the process involved, talk to the developer.

If the plugin collects user data, you want to make sure the data is provided to the user on request or is deleted when other user data is deleted. The plugin owners should take care of this.

#2 Updating Your Site Policy

Your site or privacy policy is an important document towards GDPR compliance. Every user (existing and new) should accept your site policy before continuing to use your website. Every update should be clearly notified.

You have to write the site policy in simple, easy-to-understand language and should contain the following:

• What information is collected, the purpose of collecting the information, and how the information will be processed.
• If the purpose of data collection is marketing, there should be a separate acceptance option, which can be revoked if required.
• The site (onsite, cloud, 3rd-party service) where the data will be stored should also be listed, and how a user can contact the site.
• The list of rights the user has on the data (view, edit, retrieve, delete, port)
• The length of time the data will be stored for (or instances when the data will be deleted automatically)
• The process by which a user can withdraw consent
• The process by which personal data can be edited or downloaded
• List of 3rd-party applications and services (LTI, portfolios, plagiarism, repositories, authentication etc.) the data will be shared with including:
  • The contact details of the data protection officer for each
  • The privacy policy for each (any update in the privacy policy should also be communicated to the users)

The site policy should be easily accessible to any user at any time.

Moodle 3.3 onwards will take care of notifying new users of the site policy and acquiring consent, versioning your site policy, and making sure users are updated about the changes.

For Moodle versions below 3.3, you’ll have to implement these processes yourself.

#3 Requesting Explicit Consent

Now, the most important part is making sure users fully understand your site policy and terms and willfully accept them. For this, you will need the user’s explicit consent.

If you’ve read up about consents and GDPR, you’ll notice there are two kinds of consents— explicit and unambiguous. You’ll need a user’s explicit consent for your site or privacy policy, during a purchase, or for your marketing activities.

Moodle recommends a two-stage verification process for explicit consent, where the acceptance of the terms should be confirmed via an email id or other means.

For user enrollment, 3rd-party applications, consent will be part of the site policy. But in case of marketing activities, you will need a separate acceptance option.

Here’s how it goes.

Your marketing activities involve the collection of email ids so that promotional content could be sent. And that’s great for you!

But the users might think of this as spammy content. Especially if they don’t realize what they’ve signed up for. Your task is to make it clear, that’s all.

#1 No automatic subscriptions

If you automatically sign-up a user to your newsletters on:

• User registration
• Product purchase
• Download of free resources (like PDFs, or webinar subscription)

… you’ll need to change your process.

This won’t do. You’ll need to explicitly request the user’s acceptance to receive promotional content. And that does not mean unambiguous consent (where you simply state the terms), you need to provide an explicit checkbox which a user needs to select so that promotional content can be sent.

For example:

Image courtesy: SendInBlue

#2 Offer opt-in instead of opt-out

You should ask consent for newsletters or promotional offers to be sent. You can’t sign-up users for promotional offers and then offer an opt-out option. This goes against privacy policies because you’re signing up a user without their permission.

For example:

Image courtesy: SendInBlue

#3 Do not combine multiple subscription options into one

Keep each subscription option as an independent option for acceptance. For example, if you plan on sending weekly newsletters, marketing offers, company announcements, course updates, each should be offered as a separate option to the user.

Image courtesy: SendInBlue

The user should also have the possibility to update their subscription preferences (at a later point in time) using which, independent options can be deselected (or selected).

#4 Keep it simple

Make sure you ask only for the required information and nothing more. For example, an email address is required at most to send promotional and weekly newsletters. Asking for a person’s gender, country of residence (when not needed), should be avoided.

For example:

Image courtesy: SendInBlue

Handling Information stored in Cookies

Coming to the case of cookies.

A cookie is a very small file that’s downloaded on a user’s device when they visit your website. You might be using them or (might have seen them in use). Cookies are of two types—essential and non-essential. Essential cookies are required for the website to run smoothly and provide the information requested by the user.

All the other cookies are considered non-essential (such as for analytics or affiliates). GDPR is concerns the non-essential cookies.

You must’ve noticed a similar pop-up when you visit a website “By using this website, you accept cookies”.  You might have a similar pop-up on your site, and that’s when you need to be concerned. The EU law proposed to change this.

If the cookie accepts personal data, the user should have a choice whether or not they want to provide the data. Users should also be able to withdraw consent as easily as they provide it.

It’s a bit tricky as to which cookies fall under this criterion (mostly cookies used for analytics, chats, surveys might be affected).

If you haven’t thought of how you will be implementing this (in case your site accepts cookies), you’ll have to talk to your developer soon.

To tread on the side of caution, talk to your developer even if you do not know if your site accepts personal data in form of cookies.

Updating Push Notifications

Push notifications are on-site notifications users receive when they are on your site. These could be a new announcement, blog post, offer or more. Not that all websites have these, but we do, so here’s the investigation we’ve done.

Push notifications always require an explicit consent by a website visitor, so you’re on the clear there.

But, among other things you have to make sure that the user’s IP address (used to send across a notification) is anonymized or a randomly generated ID is used for the subscriber, to shield the user’s identity.

Users should have an option to request for personal information and the right to opt-out of data tracking.

If you’re using a 3rd-party plugin or service, make sure you verify with them if data and privacy protection measures have been implemented.

#4 Following Data Protection Best Practices

Data protection best practices isn’t a concept GDPR has introduced. But following these practices will help make your site GDPR compliant.

• Make sure only the required amount of data is collected
• Implement a robust security program that monitors and reports malicious activity
• Regularly update passwords
• Reduce access to personal information
• Safeguard social media activities (avoid sharing personal student information)
• Keep processes transparent and visible
• Practice privacy by design. Make privacy setting as default and respect user privacy

Wrapping Up

The rules listed by the European Union are an attempt to hand users the control over their data and make the online interaction experience secure and stress-free. In light of the current Facebook data scandal, this seems to be a step in the right direction.

Implementing the policies though, well, that’s a mammoth task. I’ve tried to cover the most of it, but there’s a lot more that should be considered on a case-to-case basis. To be completely sure that your training website is GDPR compliant, apart from doing the above, it’s best to consult your lawyer or a Moodle developer.

Thank-you!

Join Us on Facebook

Check out our group on Facebook, ‘Moodle Tips & Tricks’ – the name says it all. We’d love it if you impart some of your Moodle wisdom and contribute to the treasure trove of tips and tricks!