Disclaimer: This page is not an exhaustive analysis of the GDPR and should not be considered legal advice. This information is meant to provide background and help you better understand Thinkific’s strategy to comply with the GDPR.
The General Data Protection Regulation (GDPR) is a new and significant update to European privacy legislation that increases the rights of individuals and the obligations of organizations to take efforts to protect personal information. The GDPR impacts any Thinkific customers based in Europe or that have European students/subscribers (“learners”) enrolled in their courses.
As your partner in online education, we know how important privacy is, and we're committed to supporting you in preparing for the GDPR. We’ve prepared this guide to help you identify some topics that might pertain to your course(s) and the GDPR and some specific questions that you should be considering in advance of the new regulations going into effect on May 25, 2018.
For more information on the GDPR you can visit the following sites that provide more specific information and guidance:
Note: We're your partner in online education but we’re by no means policy experts. We recommend consulting with a lawyer to figure out exactly how you need to prepare. Although here at Thinkific we’re making our own preparations for the GDPR, you will also need to make some of your own to ensure that your site is compliant.
For example, since we give course creators full control of their data and integrations there is data handling and processing that can happen outside of our platform and outside of our control, which is why you’ll also need to prepare for GDPR on your side. Please read on for more information on how to go about that.
Collection of personal data
Under the GDPR, personal data is any piece of information that can be used on its own or in combination with other data to identify an individual. Examples of personal data include: name, mailing address, email address, social media information, or digital identifiers such as an IP address or even a cookie ID. Under the GDPR, individuals within the EU have rights around how that data is processed.
To understand the impact around the collection of personal data, think about the following questions as they relate to Thinkific and your online course:
Do you have learners from the European Union enrolled in your online course?
What specific personal information are you collecting from your learners to administer your online course? Personal data includes name, email, location information, or identifiers such as an IP address or even a cookie ID.
Some kinds of data are more sensitive than others, like that pertaining to ethnicity, medical information, religious views, or political views. Consider if you’re collecting any of this kind of information in the administration of your course and if you truly need to collect it.
If your course uses third party applications (like an email service provider, or marketing analytics tool) to help you administer your service, you should find out if they collect and process data in accordance with the GDPR.
Getting consent from your learners
Part of the GDPR regulation states that you might need to obtain consent to process the personal data of your learners or modify how you currently obtain that consent. In particular, the GDPR says that consent must be "freely given, specific, informed and unambiguous." Specific examples that you might want to consider are if you are using online advertising or retargeting apps, then you might need a heightened form of consent. Think through the following as it relates to your online course:
Do you need to get a more specific consent/opt-in from learners because of the personal information that you or a third-party app processes?
Do you need to change your processes to get affirmative, opt-in consent for processing personal data (that you or a third party is processing)?
Collecting information from minors
Ensure that you are not collecting the personal information of minors as part of your course administration without parental consent.
Receiving GDPR data requests
The GDPR includes specific terms around an individual's right to access and control their personal data. You should think through your ability to respond to one of these kinds of requests. If you believe that you’d be unable to fulfill one of these requests you may want to consider modifying how you process the personal data of your learners.
If a student were to contact you about understanding what data you have collected about them would you be able to fulfill that request?
Most of the information processed by Thinkific is available to you in your course dashboard. Thinkific may provide support in the fulfillment of such requests once you have taken efforts to fulfill it yourself.
You can find more information about how you can manage and administer the data related to your students through Thinkific in the Admins & Reports section here.
Responding to subject access requests and portability
The GDPR gives individuals the right, in certain circumstances, to request a copy of the personal data that is being processed by an organization. You must be able to provide your customers with a copy of their personal data in a common, easily readable, portable format so that they can use that data with a different service provider. Consider the following questions:
Upon receiving such a request, what data would you need to provide?
What format would you be able to provide this data in (e.g. CSV)?
Do you need to change how you process learner information to be able to provide this data?
If you’re using third parties, think through who you would need to contact in order to process and fulfill an access request.
Thinkific allows you to export student data in a CSV format to help comply with these provisions. You can find more information about how you can manage and export the data related to your students through Thinkific in the Admins & Reports section here.
The GDPR gives individuals the right, in certain situations, to request their personal data be erased, or that a company restrict the processing of their personal data. You should consider whether you might be obligated to erase or restrict the processing of your learners' data in response to such a request. If you're looking to fulfill an erasure request here's what you need to know:
You have the ability to erase the data of individual learners if such a request comes in from your course dashboard by deleting a student. Before you fulfill a request you should consider if you need to maintain the data for any legal reason and if you can verify the identity of the requestor (to ensure it's them making the request).
If you receive one of these requests you can contact Thinkific at firstname.lastname@example.org to finalize the deletion process. Note: Thinkific cannot complete these requests on behalf of a customer, a customer must delete the student from the 'Users' section of their course dashboard.
Notification of data breaches
Rest assured that we take security very seriously and everything you store on Thinkific is maintained and stored in a secure manner. However, if you experience a data breach and the GDPR applies to you, then you might be required to notify affected users or specific regulatory bodies as quickly as 72 hours after you detect the breach. Consider compiling a data breach response plan for your business, if you don’t have one, so that you are prepared for such an incident.
The GDPR has specific requirements for companies that use third party service providers to process the personal data of its users. We recommend reviewing the privacy practices of the service providers that you use, including Thinkific, to try to make sure that they adequately protect your customers’ personal data.
Do you need a Data Protection Officer?
A Data Protection Officer (DPO) is responsible for how an organization collects and processes personal data. The GDPR includes specific tasks that a DPO oversees, such as conducting data protection impact assessments when your organization changes how it collects and processes personal data. Consider whether you are required to appoint a DPO to advise on your compliance with the GDPR.
Specifically, you may require a DPO if:
You are a public authority
The core activities of your business involve large scale, regular and systematic monitoring of individuals; or
The core activities of your business consist of large-scale processing of special categories of data or data related to criminal convictions and offenses.
You can find out more information about DPO’s here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-officers/
Thinkific wants to help you to the extent that we can with preparing and being ready for GDPR. However, it’s important to note that compliance and preparation will vary depending on your course/site itself, how you have implemented/used third parties, and the extent to which you have previously considered customer privacy. We’ll do our best to help you prepare but you may wish to consider consulting a lawyer or legal counsel if you feel you’re particularly impacted or under-prepared for the GDPR.