How Does GDPR Affect xAPI and Learning Tools & Technology?

Everyone seems to be talking about the General Data Protection Regulation (GDPR) right now. But what is it, and how will it affect xAPI and Learning Record Stores? Find out as we explain everything you need to know about this important set of privacy regulations.

The General Data Protection Regulation (GDPR) is a set of regulations designed to accomplish two primary objectives:

  1. ensure the privacy and security of European Union (EU) residents and their personal data (any information relating to an identified or identifiable natural person), and
  2. streamline data protection laws across the EU.

When GDPR goes into effect on May 25, 2018, any organization that resides in the EU or processes personal data of EU residents to provide goods or services will have to ensure they abide by its rules and regulations.

The key elements of GDPR are:

  • Establishment of the rights of the data subject (see the following graphic)
  • Definition of the controller/processor relationship
  • A special focus on security of processing
  • Data transfers to third countries or international organizations
  • Supervision, remedies, and liabilities

Will GDPR affect xAPI and Learning Record Stores?

xAPI as a specification isn’t really impacted by GDPR, although GDPR will affect how it’s implemented in certain situations. GDPR requires “appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”

An example of how this affects implementation is a decision about whether to use HTTPS-Only.

According to the xAPI specification, implementors are encouraged to use HTTPS-Only for secure communication, but that’s an implementation recommendation—not a requirement and has nothing to do with an actual xAPI statement.

It’s also worth noting that in some areas, such as the quote above, GDPR leaves some interpretation as to what may be considered appropriate measures.

However, we get some additional clarity on how to ensure the security of data processing in Article 32, with the caveat that the following suggestions are subject to scope, context, and the nature of processing:

pseudonymization and encryption of personal data
ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
ability to restore the availability and access to personal data in a timely manner in the event of an incident
a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
The pseudonymization and encryption of data is partly covered in the xAPI specification, but based on the context of why the data is being processed this may not be necessary.

For instance, you can use mbox_sha1sum as an identifier to avoid directly revealing a user’s email address in an xAPI statement. We’ve satisfied this need as a flexible option within the LRS; Watershed provides different user roles that enable certain users to see individually identifiable data, while others only see anonymized data.

Even though the xAPI specification details how to authenticate into an LRS, there are other considerations to take into account—such as, is all the data stored in your LRS encrypted at rest? It should be.

Ensuring ongoing confidentiality and integrity of systems is achieved by a mix of LRS functionality and company policies. Watershed has built and continues to maintain a comprehensive information security policy.

And access to our internal systems requires two-factor authentication as well as secure network connections over VPN to private resources that aren’t exposed to the public internet.

Part of our information security policy also details our incident response plan and our process for testing organizational security measures. All technology providers, whether xAPI or not, need:

comprehensive information security policies, and
procedures and application functionality to support the rights of data subjects.
It is also important for Learning Record Providers and Learning Record Stores to understand their relationships with their clients to establish controller/processor relationships and data processing addendums/model clauses where necessary.

What about xAPI and data privacy?

So far, we’ve focused on security, but there are also features and/or business processes necessary to support each of the rights of a data subject (which previously existed but GDPR has enhanced).

xAPI actually makes supporting some of these new rights very straightforward, such as the right to data portability.

Other rights require more effort and understanding to respect. For example, the right to restrict processing means that an EU resident can object to non-legitimate (e.g., non-learning) data processing.

The last piece of GDPR that is relevant to xAPI and LRS pertains to when data must exit the European Union.

GDPR states that the transfer of personal data to a third country or an international organization can only be done if the controller or processor has provided appropriate safeguards, and such that enforceable remedies are available.

The Privacy Shield framework was designed by the U.S. Department of Commerce and the European Commission to provide companies with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States.

As you can tell, GDPR is a comprehensive legislation that requires more attention than a simple app to adhere to a handful of the rights of a data subject.