‼ Update: The GDPR plugins are now available!

The GDPR (General Data Protection Regulation) will take effect on 25th May 2018.

The GDPR extends current EU Data Protection legislation and the penalties for non-compliance can be severe.

There are a number of areas to be addressed in order to achieve GDPR compliance. One of them is to consider how your Moodle site is complying with GDPR.

Moodle has recently shared their GDPR Approach, some of which we will outline in this post.

What IS GDPR?

If you are unfamiliar with GDPR, the guide at the Information Commissioner’s Office website is a good place to start.

GDPR stands for General Data Protection Regulation and refers to the European Union regulation for data protection for all individuals within the European Union. The regulation (Regulation (EU) 2016/679) becomes enforceable on 25 May 2018 and replaces the data protection directive (officially Directive 95/46/EC) from 1995.

GDPR affects any individual or organisation that stores or processes personal information on an identifiable person from an EU member state (regardless if the processing or storage of information occurs in the EU or not). It also applies if the individual or organisation themselves is located in an EU member state.

You must also have a data protection officer designated, who is responsible for monitoring compliance with GDPR and makes sure that personal data is safe and secure.

One of the biggest changes from the Data Protection Directive is that all relevant people have the right to receive a copy of their data, the right to correct and restrict their data as well as the right to erase data. For data collection, people must have to opt-in to have their personal data stored before any personal data can be captured.

What kind of information comprises personal data in a Moodle site?

All information that can be associated with an individual person. Each user account and all the activity associated with that user account is classified as personal information. This extends to information stored in backups, as well as associated information such as web server log files, including IP addresses.

 What Moodle are doing to help

Moodle has a set of features in development, which will meet compliance covering the following areas: onboarding of new users, privacy statements, the tracking of consent and handling of subject access requests.

The features will initially be implemented as plugins, with the following functionality:

1. The onboarding process for new users, including:

  • Displaying all required privacy statements. Provide additional privacy information during user sign up, as well as more extensive recording and logging of user consents. [See this in the Moodle Tracker].
  • Listing and requesting consent for all 3rd-parties who may receive user data
  • Establishing a process for consenting minors
  • Capturing and recording each specific consent given by a user.

2. Processes to comply with subject access requests (SARs), for a particular user, including:

  • A request to retrieve all user data on Moodle
  • A request to erase all identifiable user data on Moodle
  • A request to modify user data
  • Provide additional means for users to obtain a copy or their data, invoke their right to data erasure and keeping track of all types of data within Moodle in a data registry. [See this in the Moodle Tracker].

These will initially be released as plugins, scheduled for March 2018, which will enable those using Moodle 3.3 and 3.4 to become compliant with the new regulations by installing and configuring the plugins in addition to implementing the required organisational procedures and processes.

These features will then become part of Moodle 3.5 release which is a Long Term Supported (LTS) version of Moodle.

Installing the plugins alone is not going to be enough to meet the GDPR requirements. Correct configuration and implementation of the required processes and procedures is also required and you should engage with your IT and legal department on what is required.

Where to start

The first place to start is to read the guide at the Information Commissioner’s Office website.

For Moodle administrators, review the GDPR for Administrators page on Moodle Docs.

Get up to date!

If you are not on Moodle 3.3 or above we recommend you upgrade as soon as possible. This will enable you to install the plugins that Moodle are developing to ensure compliance.

If you are on Moodle 3.2, there is not yet a plan on the plugins being made available.

If you are on Moodle 3.3 or above you should make sure that you update to the most recent version of these releases.

You can check your Moodle version by navigating to Site Administration -> Notifications. The version is at the bottom of the page.

Let us help!

✉️ If you need help with upgrading your site or getting the plugins installed. Get in touch with us at [email protected] or via our contact page.