GDPR and your LMS: staying GDPR compliant with Moodle or Totara

How to ensure GDPR compliance when using an LMS like Moodle LMS or Totara Learn.

Since the EU’s General Data Protection Regulation came into effect in 2018, followed by the post-Brexit equivalent UK GDPR, organisations in the UK and EU — as well as those handling the data of EU customers — have had to put in place measures to ensure their processes are GDPR compliant.

The world of e-learning is no exception and a learning management system, which typically holds a lot of user data, is an area in which action needs to be taken in order to ensure GDPR compliance.

How GDPR impacts your LMS  

The relationship between GDPR and your LMS needs to be in accordance with the seven principles of GDPR:

Lawfulness, fairness and transparency

Do you identify a lawful basis for collecting and using personal data via your LMS? Do you ensure that your use of the data is legal, fair and clear?

Purpose limitation

Do you clarify and record your reasons for processing personal data via your LMS from the start?

Data minimisation

Do you have processes in place to ensure the personal data collected via your LMS is adequate to fulfil your purpose for collecting it, relevant to that purpose and limited to what is necessary for that purpose?

Accuracy

Do you take measures to ensure the accuracy of personal data held on your LMS?

Storage limitation

Do you have plans in place to only keep personal data on your LMS for as long as you need it?

Integrity and confidentiality (security)

Do you ensure that you have appropriate security measures in place to protect personal data held on your LMS?

Accountability

Do you have appropriate measures and records in place to take responsibility for what you do with personal data on your LMS and to comply with the other six principles.

GDPR and Moodle LMS  

If you’re currently collecting user data via Moodle LMS, there are some simple measures you can put in place to help you to ensure GDPR compliance.

• The Moodle LMS Policies plugin makes it easy to define a privacy or site policy, which is then displayed for users to accept before using your LMS.
• The Moodle LMS Data Privacy plugin helps your organisation to handle data requisitions, including those around downloads, exports and deletion of user data.

Both plugins are available as standard in recent Moodle LMS versions. We should stress that installing the plugins alone does not guarantee GDPR compliance. You will need to define the policies according to the specifics of your organisation’s data privacy circumstances, and adhere to them.

Between the plugins and some amendments to the core platform, Moodle LMS will be able to help you maintain GDPR compliance when:

• Onboarding of new users
• Identifying minors
• Versioning privacy policies
• Tracking user consents
• Handling of subject access requests 
• Handling deletion requests
• Maintaining a data registry

GDPR and Totara Learn

Totara Learn also offers a series of data protection features and user data management tools to help you manage GDPR compliance. It includes as standard:

• Site-wide policies for your users to review and either accept or decline. All responses are recorded within a user consent report.
• Site policy versioning, which automatically requests updated permissions from users when a policy has been updated.
• Creation of different data export types for different user types.
• Multiple data removal or data purge types, which can be configured in relation to retention, deletion or anonymisation.

Again, use of these features alone will not make your organisation’s LMS GDPR compliant. The appropriate processes must be in place to ensure GDPR compliance.

Got questions about GDPR and your LMS?

Fill out the form below for a chat about managing data protection and GDPR obligations on your LMS.

Tags