GDPR Effect on E-Learning Apps, or User Data Protection at All Costs
Please, tell us how paranoid you are about your personal data.
We sure hope that your “spidey sense”, combined with two-factor authentication, automatic log-off and plenty of other precautionary measures are a part of your daily routine on the Internet.
But what if you are responsible for the storage and security of data of hundreds, thousands, or even millions of your mobile users?
In this article, we are going to speculate about the things that are huge for user data protection.
We’ll dive deep into a very complex and long document called GDPR (General Data Protection Regulation). In short, it has changed the way personal users’ data should be collected and processed. In this article, we will show it to you.
We are going to speak a little of what measures app owners should apply to make their software GDPR compliant.
We will also focus on the individuals’ rights in respect of their personal data that has to be put under the microscope after GRPR has come in force.
Also, we will analyze some things the world leading E-Learning companies (Duolingo, Moodle) do to avoid enormous fines and keep their users’ data protected.
For you to not fall asleep, we have some shocking figures in data breaches facts and memes inside. Enjoy.
It’s been more than three months now since GDPR act came to force. You might have gotten tired of all these notifications about websites using cookies and updating their privacy policies - that is how you got acquainted with the act as a user.
Six Principles of GDPR Data Protection
There are 6 principles relating to the processing of personal data listed in Article 5(2) of EU data regulation 88-page document.
- Lawfulness, Fairness, and Transparency
- Purpose Limitation
- Data Minimization
- Storage Limitation
- Integrity and Confidentiality
Let’s quickly run through all of them in respect of how E-Learning apps should treat all the personal information of their users.
Lawfulness, fairness, and transparency.
This concept is pretty easy to understand and embrace. All the information has to be gathered in a lawful way. Users should realize that the company gets their personal data, so the language of the note that makes them aware of that should be plain and clear.
No monkey business, there is simply no need to misguide the users about data collection. E-Learning mobile apps should easily follow this principle as it doesn’t require anything extraterrestrial.
There must be a reason for collecting, storing and further processing data. Data subject should be aware of the reason.
The original purpose must be the only one, companies are forbidden to use user data for other reasons.
Here is what Duolingo states among its purposes for data collecting:
“We may also use your contact information to send you notifications regarding new services, offersб and promotions offered by Duolingo if you affirmatively consent to receive such communications.”
Moodle answer the questions of how the collected data for their app work with a single purpose - to provide access to the online courses on this site (app - for Moodle Mobile).
This principle allows using your activity data for statistical purposes.
This is obviously some good news for app owners as they need to study user behavior in order to improve their software.
The less info user provides to the mobile app, the smaller the damage of the potentially breached data. There is no need to ask users about their sexual orientation for an educational software, for example.
In fact, the second biggest data breach in history has happened in October 2016 with Adult Friend Finder databases. Perhaps, info about the user’s religion, sexual orientation and some other data put into the dating apps would never be requested by educational apps.
More than 412 million user accounts were compromised. You might not want to get down in history by the data contained in your dating app portfolio.
As an educational app owner, don’t ask too much - surveys might be less effective than actual user behavior studying, but at least it’s legal to ask the info that way.
App owners must provide users with the opportunity to update the info. Every reasonable step should be taken to change or delete inaccurate or incomplete user information.
Let us quote Moodle policy on this:
How long is my data stored?
Your personal data is stored as long as your account is active on this site.
That means that after you deactivate the account in a learning app, personal data should quit the mobile app with the user.
Integrity and Confidentiality.
There is no need to analyze this point, to be honest. It simply goes without saying.
The organizations must take reasonable measures to protect against data breaches and unlawful processing.
Focus on the Individuals’ Rights
There is quite a range of individuals’ rights that have to be covered by the software owner to claim that the app is GDPR compliant.
These are screenshots from Duolingo and Moodle websites that describe data subject rights.
These are just two ways to list the number of individuals’ rights that has to be obliged.3
Among the most interesting points here we’d like to highlight are the right to be forgotten and the right to object to the processing of certain types.
The first one is the dream for a little star named Barbra Streisand. You might have heard of the Streisand effect. The more you try to hide something, the more Internet is inclined to see that. Not the case here.
Users have the right to have all the information about their studying to be deleted by the processor under the new Regulation.
Had Beyonce used her unflattering picture her publicist was trying to delete as information provided to the GDPR-compliant E-Learning provider, it would have gone forever. Hopefully.
If a user is tired of the app sending him/her the marketing emails, he/she may object to that, and it would be GDPR violation of his rights to send them some more after the object is expressed.
This is just a few things that app owners should keep a close eye on.
How Big of a Deal Is GDPR (Google and Facebook are fined $9.3 billion)
If you still think that GDPR is some document that doesn’t affect you as a startupper, you might be wrong.
Even if you are targeting US users, and only a small portion of your potential users are EU citizens, you have to follow the regulation. Otherwise, you will never show the profit for your company as you will only work to cover the fines for the European Union.
How big could these fines be? You might feel yourself like a loser in a monopoly game at some point.
It actually reminds of an old Louis CK monologue where he described such a loss to his then-9-year-old daughter.
“OK, so here’s what’s going to happen now, OK? All your property, everything you have, all your railroads, your houses, all your money – that’s mine now. You gotta give it all to me. Give it to me, that’s right. And no–no, you can’t play anymore, see, because even though you’re giving me all of that, it doesn’t even touch how much you owe me. It doesn’t even touch it, baby. You’re going down hard. It’s really bad. All you’ve been working for, all day, I’m going to take it now and I’m going to use it to destroy your sister.”
We are talking billions of dollars in fines. Google, Facebook faced $9.3 billion in fines just days after rules came in force.
The way Facebook-owned Instagram and WhatsApp is a no-no for the European Union. Plenty of violations were on Google’s side - Alphabet - the Google-owned company is liable for $4.88 billion in fines.
Is these figures don’t frighten you, it is hard to blame you, as it is hard to even imagine this pile of money.
If you won’t take GDPR seriously, you’ll get bankrupt pretty soon.
Among the main changes GDPR brought us are:
- Data collection minimization and purpose limitations
- User consent obligations
- Mandatory data breach notifications
- Closer attention to the expanded set of individuals’ rights
If you are planning on starting your own mobile app in the educational sector (or already have one), you should prioritize user privacy pretty high.
Following all the standards might be quite complex.
Careless attitude towards the private data of users is now very punishable not by just reducing the potential cost of your company and costing it the reputation, but also financially - in the form of fines.
This is definitely not a thing to forget while putting your mobile app on market. BTW, if you need some help with building an E-Learning mobile app, contact us here.