GDPR Could Limit Data Use in eLearning—and Drive Innovation

Written By

Lynne McNamee

July 20, 2018

Among the hottest topics in the industry these days is using data to improve learning, performance, and succession. Adaptive learning, personalization, xAPI, learning record stores, machine learning—so many tools can help customize the learning experience. The arguments in favor of using these tools are strong, especially given how successful targeting and personalizing data has been in marketing, which has utilized these techniques for years. Just as many learning and development (L&D) teams were getting the hang of using data in eLearning, though, GDPR took effect. How GDPR, Europe’s General Data Protection Regulation, will affect data use in eLearning and how L&D should respond raises many questions—as well as potentially spurring positive developments.

Companies’ use of data came under intense scrutiny following revelations of misuse of Facebook data by Cambridge Analytica. The timing of this scandal, right before the full implementation in late May of GDPR, highlighted the reasoning behind the law: An individual should own the data about her/himself.

For business leaders looking to expand their use of data to advance learning objectives, it is worth keeping in mind the potential pitfalls while crafting a data plan and data policies to ensure that the letter and spirit of the law, and employee trust, are protected.

Note: Nothing in this article should be interpreted as legal advice. Seeking professional legal counsel on GDPR compliance is strongly advised.

Among the provisions of GDPR are a few top-level concepts:

  1. Who owns an individual’s personal data
  2. Portability of personal data
  3. What personal data will be collected, why, and how will it be used

Ownership of personal data

The answer to the first question is clear and concise: The individual owns her/his own data. 

Portability of personal data

Learners should be able to transfer data collected in a learning program to another system, potentially at another company.

This goes counter to how most US companies operate. While managers applaud talent development and career pathing, ultimately, it is the business requirements and business objectives of the company that govern employment and advancement decisions. In most cases, ownership of data about employees, including certifications, performance reviews, promotion histories, etc., lies with the company—not the employee.

On the subject of eLearning, LinkedIn and companies like Udemy are making strides, as they make it possible for individual learners to record and share their certifications. This creates a kind of centralized LMS, either replacing or supplementing the records held by an employer. According to the Bureau of Labor Statistics, the average Baby Boomer worked about 12 jobs between the ages of 18 and 50. With job changes likely to become more, not less, frequent, the need for employees to own their learning histories and credentials is increasingly clear. Yet most employers do not have the means (or willingness) to provide learning histories to their employees when they leave. Article 20 of the GDPR, which pertains to data portability, could spur changes in that approach.

Collection and use of personal data in eLearning

It might be useful to regard GDPR as a wise guide, rather than an enforcer. Article 5, Section 1, states that personal data shall be “collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.” Combined with Article 25, pertaining to data protection by design and default, GDPR’s regulations may protect the eLearning industry from pitfalls experienced by marketers.

Over the years, marketers became enamored of data—the more the better. Among the massive amounts of data collected, many great insights are gathered—but also a plethora of data that will not be used, that is not necessary, and that is not directly tied to the original reason for collecting the data. In the world of GDPR, this must change.

Corporations—and eLearning professionals within those businesses—need to ask, “Is what we’re measuring and tracking really necessary for what we are explicitly trying to achieve?” Viewed through the lens of talent development and future talent gaps, this does create limitations on the collection and use of personal data in eLearning.

GDPR requires that there be a specific, pre-determined reason to request or track information. This purpose, and the planned use of the information, must be disclosed prior to collection. Learners must consent to the collection of data. In addition, safeguards need to be in place to ensure that information is used only in the ways disclosed at the time the employee opted in to the tracking or data collection. Note that some countries have additionally restrictive policies around the collection and use of data, especially if it can be traced to a known person, so caution and legal advice are critical.

With these caveats, L&D teams should collect only the minimum data needed for a defined purpose—and use it solely for that purpose.

While these limitations could inhibit some personalization of eLearning, if the eLearning developer clearly explains why particular data is collected and how it would enhance the learner’s experience, the data collection could be acceptable to many learners. Prior intent and disclosure are the keys.

Looming issues with data portability

As an industry, it might be time to work toward consensus—a common standard for portability—among SCORM, AICC, and xAPI. L&D professionals need to think about the technology eLearning employs and how it supports data portability. GDPR also requires the ability to be forgotten—the right to ask companies to delete personal data; therefore technology must support that requirement.

Portability, combined with data ownership, requires a shift in approach from internal tracking systems within companies to, potentially, connected solutions whereby individual employees have ownership and responsibility for the maintenance of their own learning records throughout their careers, no matter where they work. Credentials or certificates would need to be validated by an employer or hiring company; blockchain offers a possible model. In theory, this could return the role of the L&D professional to one of strategy and real leadership versus record keeper and administrator. Or it could encourage employees to remain with a company that managed their information for them as an employee benefit.

The era of portability has its share of open issues: Executives must consider whether the sharing of specific employee data, such as what courses they’ve taken or their scores on assessments, could reveal proprietary information. The possibility that companies could focus on recruiting talent from rivals simply to gain access to data about how people are trained, onboarded, developed, and promoted cannot be discounted. Nor can the potential for companies to reverse-engineer competitive information, based on newly obtained employee learner data.

Concerns on the L&D plane include whether justification exists (and is provided to learners) for how data will be used and why that information is needed to achieve stated aims. Processes are needed for making and approving these decisions, as well as for determining who has access to data that has been collected. Additional procedures are needed to ensure that data collected for one purpose is not used for a different purpose or shared with unauthorized parties, even within the company.

Deciding what data to collect

Creating policies and procedures around data collection, security, and portability is an ideal opportunity for greater synergy between L&D and the C-suite.

These teams can work together to identify the metrics that the executive team cares about and what data is needed to return those numbers. Whereas L&D sometimes gets caught up in registrations and completions, time viewed, frequency of consuming content, or learner evaluations of a course, these are not metrics that support digital transformation or improved business efficiencies. Neither is engagement (however one defines it) a business metric, so that doesn’t move the conversation forward.

Partnering with business unit leaders to understand what metrics they have to report on can reveal the data points that, it would seem, companies can legitimately request to capture and process. This is also where the use of data to deliver an adaptive learning experience is justified. In this scenario, the data and related learning are directly tied to business outcomes. Personalization isn’t done because it can be done. Rather, personalization is done because it needs to be done.

To get at these dual-purpose metrics, L&D teams can ask:

  1. What are the business outcomes that need to be achieved?
  2. What are the metrics that define success?
  3. What metrics show baseline status?
  4. What key performance indicators (KPIs) will demonstrate progress?
  5. How will those KPIs be used to personalize continued eLearning?
  6. Who will have access to the data collected?
  7. How will portability or right-to-be-forgotten requests be met?

Approaching data gathering with clear goals could reduce the ways that GDPR feels like a brake on data use in eLearning—and increase the ways it feels like a trigger for innovation, improvements that will benefit companies and employees alike.

More Executive

You May Also Like