What You Need to Know: GDPR & xAPI

     

Everyone seems to be talking about the General Data Protection Regulation (GDPR) right now. But what is it, and how will it affect xAPI and Learning Record Stores? Find out more as we explain everything you need to know about this important set of privacy regulations.


What is GDPR?

The General Data Protection Regulation (GDPR) is a set of regulations designed to accomplish two primary objectives:

  1. ensure the privacy and security of European Union (EU) residents and their personal data (any information relating to an identified or identifiable natural person), and
  2. streamline data protection laws across the EU.

When GDPR goes into effect on May 25, 2018, any organization that resides in the EU or processes personal data of EU residents to provide goods or services will have to ensure they abide by its rules and regulations. The key elements of GDPR are:

  • Establishment of the rights of the data subject (see the following graphic)
  • Definition of the controller/processor relationship
  • A special focus on security of processing
  • Data transfers to third countries or international organizations
  • Supervision, remedies, and liabilities

GDPR Data Rights via lawinfographic.com(image via lawinfographic.com)

Will GDPR affect xAPI and Learning Record Stores?

xAPI as a specification isn't really impacted by GDPR, although GDPR will affect how it's implemented in certain situations. GDPR requires “appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” 

An example of how this affects implementation is a decision about whether to use HTTPS-Only. According to the xAPI specification, implementors are encouraged to use HTTPS-Only for secure communication, but that’s an implementation recommendation—not a requirement and has nothing to do with an actual xAPI statement. 

It’s also worth noting that in some areas, such as the quote above, GDPR leaves some interpretation as to what may be considered appropriate measures. However, we get some additional clarity on how to ensure the security of data processing in Article 32, with the caveat that the following suggestions are subject to scope, context, and the nature of processing:

  • pseudonymization and encryption of personal data

  • ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems

  • ability to restore the availability and access to personal data in a timely manner in the event of an incident

  • a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

The pseudonymization and encryption of data is partly covered in the xAPI specification, but based on the context of why the data is being processed this may not be necessary. For instance, you can use mbox_sha1sum as an identifier to avoid directly revealing a user’s email address in an xAPI statement. We’ve satisfied this need as a flexible option within the LRS; Watershed provides different user roles that enable certain users to see individually identifiable data, while others only see anonymized data. Even though the xAPI specification details how to authenticate into an LRS, there are other considerations to take into account—such as, is all the data stored in your LRS encrypted at rest? It should be.

Ensuring ongoing confidentiality and integrity of systems is achieved by a mix of LRS functionality and company policies. Watershed has built and continues to maintain a comprehensive information security policy, and access to our internal systems requires two-factor authentication as well as secure network connections over VPN to private resources that are not exposed to the public internet.

Part of our information security policy also details our incident response plan and our process for testing organizational security measures. All technology providers, whether xAPI or not, need comprehensive information security policies and procedures, as well as application functionality to support the rights of data subjects. It is also important for Learning Record Providers and Learning Record Stores to understand their relationships with their clients to establish controller/processor relationships and data processing addendums/model clauses where necessary.


Recommended Resource

xAPI Case Study: Volume & Privacy
Hear how PwC is rolling out xAPI to different territories and hundreds of thousands of users across the world with multi-LRS systems.


What about xAPI and data privacy?

GDPR Data Protection

So far, we’ve focused on security, but there are also features and/or business processes necessary to support each of the rights of a data subject (which previously existed but GDPR has enhanced). xAPI actually makes supporting some of these new rights very straightforward, such as the right to data portability. Other rights require more effort and understanding to respect. For example, the right to restrict processing means that an EU resident can object to non-legitimate (e.g., non-learning) data processing.


What about Watershed?

When it comes to data portability, Watershed can push xAPI statement data about a data subject directly to another system that supports xAPI, or this data can be provided via a downloadable file. Watershed also has the ability to add role-based filters and permissions that introduce an extremely granular level of control over what data can and can’t be processed.


The last piece of GDPR that is relevant to xAPI and LRS pertains to when data must exit the European Union. GDPR states that the transfer of personal data to a third country or an international organization can only be done if the controller or processor has provided appropriate safeguards, and such that enforceable remedies are available.

The Privacy Shield framework was designed by the U.S. Department of Commerce and the European Commission to provide companies with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States.


What about Watershed?

To this extent, Watershed maintains an active certification with the EU-US Privacy Shield to allow for transfer of personal data from the European Economic Area to the United States. Additionally, Watershed’s infrastructure provides the ability to utilize hosting facilities located within the EU so personal data stays in the EU.


Ready to be a Data Protection Officer?

As you can tell, GDPR is a comprehensive legislation that requires more attention than a simple app to adhere to a handful of the rights of a data subject. That’s why I hope this blog post adds a bit more clarity, as opposed to creating more questions.

However, if you still have questions, download the following eGuide for more helpful resources. Or, if you're interested in more details about Watershed's GDPR functionality, feel free to contact me directly.

Guide: What is GDPR?

Tim Dickinson

About The Author

As Watershed’s Director of Learning Analytics Strategy, Tim Dickinson is skilled in leading organizations through strategic changes, getting positive results through learning analytics, and translating complex ideas and trends into easy-to-understand explanations.