THE GENERAL DATA PROTECTION REGULATION (GDPR)
GDPR stands for the General Data Protection Regulation. The GDPR is the new European Union (“EU”) law that regulates the personal data of individuals in the EU. It replaces the EU Data Protection Directive, the EU’s current privacy law, which was been in place since 1995. The GDPR harmonises data protection law across Europe and introduces sweeping changes that require companies to make significant updates to their privacy and security policies and practices.
Instructure is committed to helping our customers comply with GDPR.
WHEN DID THE GDPR BECOME ENFORCEABLE?
The GDPR became enforceable on May 25, 2018. From that time, companies are legally required to comply with the GDPR.
WHAT DOES THE GDPR APPLY TO?
GDPR applies to the personal data of individuals in the EU. Personal data is defined as any type of information that identifies or can be linked to an individual. In addition to the usual types of personal data (i.e., name, address, phone number), this definition can also include information such as an IP address or device identifier. The GDPR requires entities to handle personal data in specific ways and gives individuals new rights related to the processing of their personal data, among other obligations.
WHAT ACTIONS DID INSTRUCTURE TAKE TO COMPLY WITH GDPR?
Instructure put implementation actions into place to comply with the European Commission’s replacement law for the Data Protection Directive 95/46/EC, the General Data Protection Regulation (“GDPR”), before the enforcement date (25 May 2018).
To ensure GDPR readiness, Instructure completed the following:
- Educated the organisation about GDPR and its requirements.
- Conducted a GDPR gap analysis with the help of a reputable outside law firm experienced with GDPR.
- Documented the personal data Instructure holds, where it came from, and who Instructure may share it with.
- Reviewed current privacy notices and made any necessary changes in time for GDPR implementation.
- Ensured existing procedures covered all the rights individuals have under GDPR, including deleting personal data.
- Identified our lawful basis for processing personal data, documented it, and updated our privacy notice to explain it to individuals.
- Reviewed how Instructure obtains, records, and manages consent.
- Reviewed and updated contracts with third parties to ensure our privacy obligations are current.
- Ensured the right procedures are in place to detect, report, and investigate a personal data breach.
- Created processes for Data Protection Impact Assessments.
- Appointed a Data Protection Officer.
SAFEGUARDS FOR CROSS-BORDER DATA TRANSFER
One of the GDPR’s requirements is that any personal data transferred “cross-border”, i.e., outside of the EU, can only be moved pursuant to a legal mechanism. The Privacy Shield Framework is one legal mechanism to make these cross-border data transfers to the United States legitimate. Instructure self-certified under the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield in November 2017 and our certification remains in good standing, which helps us comply with this requirement of the GDPR.
Instructure also uses the European Commission’s Standard Contractual Clauses (model clauses) as an alternative, lawful method to transfer personal data outside the EU. By incorporating these model clauses into Instructure’s Data Processing Addendum (“DPA”), both data controllers (Instructure’s EU-based customers) and data processors (Instructure) are contractually obligated to certain technical and organisational safeguards relating to individuals’ (Instructure’s EU-based customers’ end users) privacy rights.
DID INSTRUCTURE CONDUCT ANY MAJOR CHANGES TO ITS PRACTICES AS PART OF COMPLIANCE WITH GDPR?
Instructure has always taken privacy seriously. We have a longstanding practice of undertaking internal privacy assessments of our products and of adopting a “privacy by design” approach to product development. We built our GDPR compliance efforts on this foundation, including the definition of procedures to cover all rights individuals have under GDPR. In addition, Instructure appointed a Data Protection Officer to oversee our internal “privacy by design” efforts.
Please contact us at [email protected] for more information.