GDPR in educational technology, the case of Simbound
Louis Havriliuc // 02.04.2018
The European Union has advanced 25th of May 2018 as the time at which the General Data Protection Regulation (GDPR) comes into full effect. This is a series of data protection policies to which all companies operating inside the European Union and which manage personal data must adhere to.
This article is meant to act as a first step which we are taking towards compliance. With almost 16.000 individuals' personal data on hold, an initial audit is very much needed. Feel free to use the methods presented below for your own company, but only if you understand that you are doing this on your own risk. If you are not sure what you are doing we recommend you to consult a specialised lawyer on this highly important topic. Given that the GDPR is the biggest legal development in the data privacy and protection space in recent times, a detailed procedure will have to be put into place at Simbound over the next 60 days.
The timing for the GDPR is right as increasingly more educational institutions make use of third party technology providers in carrying out various educational and vocational training programmes. Technology used includes: e-mail, social networks, learning and project management services in the cloud and specialist e-learning media and content. This means that increasingly more personal data belonging to students and professors resides with organisations or individuals outside of the school network. This ongoing transfer of personal data is necessary so that technology companies are able to identify individual users and to deliver relevant services and to further develop their offering and services. There is nothing wrong with personal data transfer processes as long as they are rightly managed and overseen and the user has access to his or her own personal data and the data doesn’t end up being abused or in the wrong hands. This is what the GDPR is trying to promote.
At Simbound we have, since day 1, advocated for a research and development culture of minimum personal data invasiveness, data transparency and portability and the path of minimum effort assigned to you when you want to know, access and modify the amount and kind data which is being stored on you, as the user of our simulations. In GDPR terminology this practice is called Privacy by Design. This is a viable personal data policy for a data dependent business and we have never have had users which signalled that we are asking for too much of their personal data or which were concerned with the way we are managing their data. The fact that we used Privacy by Design since day one helps us to some extent to become compliant with measures such as the GDPR quite easily.
In order for it to be able to deliver its services the Simbound website needs to have access to a series of your personal data. To understand how you, as an user of Simbound will be impacted by the new GDPR we will take a look at the range of personal data which we store when you are using our digital marketing simulations and also list some of the measures we are working on in order to make sure your personal data is protected and easily accessible.
We classify the different personal data we store through the Simbound website in three categories:
Personal Data which is Mandatory
Not in a particular order of importance, you are required to supply the following information if you want to use the online services provided by Simbound: your e-mail address, your first and last name, your country, your timezone, the name of your University or Company or Organisation.
Most users are using the simulation on this basic personal data allowance. The most important and valuable personal data stored on Simbound’s servers are a persons' name and e-mail address. Most users are being asked or encouraged by their tutors to input their institutional e-mails when registering for the simulation. Here a precision is needed: while e-mail addresses belonging to an institution/organisation tend to change with time, as universities and corporations suppress e-mail addresses once the student finishes their studies or when an employee terminates his employment contract, personal e-mail addresses tend to have a longer usage lifespan. With this in mind, we acknowledge that the majority of e-mail addresses stored by the Simbound system are personal e-mail addresses with the distribution of personal/institutional e-mail addresses currently being at approximately 60/40. The 60/40 ratio is a good indicator that users trust Simbound with their personal contact information even when asked to sign up with their institution/organisation e-mail.
A small fraction of the registered e-mail addresses, estimated to be at less than 3% are created by users solely for the purpose of registerin on to the Simbound website. From a privacy point of view these e-mail addresses have little value as users rarely use those e-mails after they have finished using the simulation.
Optional Personal Data
In order to enhance some aspects of the end user experience, several optional personal data upload features are provided by Simbound. These are not mandatory, meaning that users do not give up any core benefits derived from using the simulation if they choose not to supply Simbound with this kind of data. This includes: personal photograph, a short description of themselves (bio) and a link to their public Twitter profile. Thus, we give each Simbound user the right to refuse the transmission of sensitive personal data, which is characterised by a high degree of privacy.
Also it is important for you to know that Simbound does not ask to receive and does not store other types of highly sensitive personal data such as physical addresses, localisation, date of birth, income, medical or cultural (religious) information.
Outbound Marketing Practice and Business Contacts Data
Simbound very rarely sent unsolicited e-mail and in the few cases when it did there was a highly rigorous research and targeting process involved beforehand to match the interest and line of work of those which we contacted with our offering. Over 99% of e-mails sent by Simbound whether these were periodical notifications, or promotional e-mails were sent to people which have opted in to receive communications from Simbound. We have made every effort to safeguard commercial sensitive data and to not abuse data which we have had access to. When it comes to marketing carried out through e-mail we have always clearly identified our company as the source of e-mails and provided an easy way for people to unsubscribe their e-mail addresses from our e-mail communications. Further Simbound has not directly engaged in behavioural/psychometric advertising techniques, although it has used on several occasions 3rd party digital marketing services which at the time claimed that they were using behavioural marketing as a business model.
Through different commercial partnerships with a host of business simulations companies, Simbound has had access to databases consisting of various amounts of personal information. As these providers also offer marketing simulations and possess groups of contacts which are interested in receiving specific communications on products and services, there is intrinsic value in reaching out to them as they could be interested in the Simbound offering. Although we have had access to this information ever since 2010, we have not once sent unsolicited e-mail to these groups of contacts and we have always respected agreements with former or current commercial partners which acted as resellers of our simulations.
Personal Data Protection Mechanism
We want to make it clear from the onset that your personal data is safe with us and that Simbound does not engage in any sort of personal data transfer without your consent. Our website is managed by professional web hosting companies and access to the database is made through multiple layers of security which makes it easy for us to protect and to identify any potential suspicious usage of personal data stored through our website. If we will notice any suspicious activity, we will send you a notification within 72 hours, as this is one of the GDPR requirements.
We identify all those who access the personal data which we store as we issue individual security certificates to each Simbound website administrator, each certificate being unique to each person. Access to the server administration clients and the databases are carried out over Virtual Private Networks (VPN), making it very difficult for someone outside of the Simbound network to intercept, corrupt or in any way interfere with your personal data if they don’t have such credentials.
In the future we will be looking at different ways in which to give you an easy way to access and to manage all your personal data at each and every moment. This means that you, as the holder of your data will be able to quickly update, delete or share the personal data which is stored through the Simbound website.
Simbound© is owned by the Apollo Edtech SRL company which is registered with the The Romanian National Supervisory Authority For Personal Data Processing having certificate number 0018682 issued on 18/08/2011. Romania is a full EU member since 2007.
Remember to always be cautious whenever you will be sharing personal information over the internet.
Also, if you want to learn more about how to protect your students personal data here is a link to the European Handbook for Teaching Privacy and Data Protection at School, which is an excellent resource on this highly important topic: Download Handbook [ PDF | 5,2 MB |122 Pages]