The General Data Protection Regulation (GDPR) is a comprehensive legislative framework established by the European Union (EU) to protect individuals' personal data and privacy. Its main purposes are to give individuals (known as ‘data subjects’ in the legislation) greater control over their personal data, and to harmonise data privacy laws across Europe.
GDPR is a large, complex piece of legislation but, in effect, it does three main things:
There’s a lot to cover here, even within the relatively narrow scope of online testing and training. So with the understanding that a single blog post isn’t a comprehensive guide to GDPR, let’s get into some of the most relevant points.
GDPR applies to all organisations operating within the EU, as well as to those outside the EU that offer goods or services to, or monitor the behavior of, data subjects in the EU. A ‘data subject,’ in this case, is anyone whose personal data is being collected; ‘in the EU’ means just that — anyone physically in the EU, regardless of their nationality or residency.
Let’s consider a few examples:
A Canadian health and safety training company that offers courses for students in Ontario, Alberta and British Columbia: Not subject to GDPR
A New York City-based online university offering degree programs to students worldwide: Subject to GDPR for data subjects in the EU
A Belgium-based flight training academy: Subject to GDPR
In short, GDPR’s extraterritorial scope means that even global companies must adhere to GDPR when dealing with EU data.
So that covers ‘who.’ An equally important question is ‘what’ — what kind of data falls under the auspices of GDPR, and how can organisations handle it in a compliant manner?
GDPR covers both traditional personal identifiable information (PII), such as names, emails and addresses, as well as biometric data, which is increasingly relevant to the world of online testing.
GDPR only applies to data collected or shared for commercial purposes. It doesn’t cover any activity related to personal communication (ie, texting your friend Pierre your address isn’t a GDPR violation) or anything related to law enforcement or national security.
GDPR means that any organisation offering online training, testing or proctoring for students in the EU must be accountable for the data they collect, store and share. They must have a reasonable justification as to why data was collected, and how it was stored, who had access to it, and when it will be removed or anonymised.
Critically, data subjects must opt-in to sharing their personal data; it’s not enough to ask for permission after the fact, or assume consent without explicitly obtaining it. Protections for this must be built in from a subject’s first interaction; at any point, they must be able to access and request removal of their personal data. Organisations must be able to comply with these requests within a reasonable timeframe.
Privacy Impact Assessments (PIAs) are essential for protecting personal data and ensuring compliance with GDPR. They help organisations spot and address potential privacy risks early on. By conducting a PIA, organisations can make sure they handle personal information responsibly, build trust with learners, and avoid legal issues.
Organisations must report all data breaches or other activities that could result in financial loss or identity theft to both the data subject and the appropriate regional authority (in the UK, it’s the Information Commissioner's Office (ICO)).
The full English text of the EU resolution establishing GDPR is more than 75 pages long. It is primarily focused on outcomes, rather than prescriptions; in other words, it aims to tell organisations what to do, but not how to do it.
To illustrate the potential complexities of this, we can look at one activity that’s very common in online testing: using a photograph of a government-issued ID to verify a participant’s identity. To maintain compliance with GDPR’s Article 5, “Principles relating to processing of personal data,” an organisation that is verifying IDs online would need to:
Sound like a lot? It is, and there’s a reason why many organisations may be tempted to keep ID verification to a minimum. But there’s a downside to that, too.
Organisations that offer training online generally want the learner experience to be easy to use, non-invasive and, of course, compliant with all relevant regulations. They also want it to maintain the same high standards as in-person training. This creates what can feel like an unwinnable dilemma: do I put in place invasive proctoring controls and risk a GDPR violation, or do I remove restrictions and risk fraud or liability issues?
The growth of online testing has led to increasingly strict requirements for proctoring and academic integrity more broadly. In the UK, Ofqual guidelines clearly state the need for proctored testing. What happens when these requirements conflict with data privacy regulations like GDPR?
Ultimately, this distinction isn’t as irreconcilable as it seems. Proctoring software must detect and deter unethical behavior without excessively intruding on privacy. Integrity Advocate works with clients to find organisationally specific, nuanced approaches based on a balanced consideration of all legislative expectations. Read our GDPR compliance brief here.