About the client
Our client is a global provider of a cloud-based eLearning platform that teaches people how to adopt and use software. The company is based in the US and provides its services to Fortune 500 enterprises. The eLearning platform teaches employees how to get the most out of corporate software in a way that’s relevant to their jobs, their work, and their learning styles. Our client has twenty years of experience training users on Novell, Corel, and Microsoft products (Windows, Office, OneDrive, Skype, etc.) through thousands of searchable and shareable video tutorials, online sessions, assessments, files, and web sources.
Our client came with the challenge
Our cooperation with this client started in 2011 when they decided to shift from publishing to a SaaS business model. The company needed to develop an entirely new cloud-based eLearning platform, and they wanted to develop it on the most recent technology for that time. They chose Microsoft Azure as it was fresh on the market and had the potential to cover all their needs. Intellias already had engineers striving to master this new technology, so it was a perfect match.
As our collaboration evolved into a long-term relationship, our client started to deliver new features continuously for their users. They also started naturally expanding to new markets. The company achieved enterprise end customers in Europe. Then a new wave of data leaks and privacy breaches at some world-known brands led to new regulations and strict requirements for data protection.
One of the most prominent of these new regulations is the General Data Protection Regulation (GDPR). Our client needed to comply with GDPR requirements as their platform directly processes personal user data.
End customers—usually huge enterprises—get access to our client’s eLearning platform to unleash their employees’ potential by teaching them how to use corporate software. To get access to the platform, employees need to create user profiles that include personal data: first and last name, job title, email address, photo, and IP address. As our client has end customers in the EU, they needed to provide a full range of security measures to comply with GDPR requirements.
Our client needed to detect all touchpoints with their users in order to inform them about the new terms and conditions, show users how they can control their personal data, and ensure that user data is securely protected. An additional challenge was automating the necessary actions after a user submits a request to withdraw data, delete data, or check what data has been collected. Our client needed to make all these changes across every touchpoint with hassle-free synchronization options so ongoing changes could be implemented everywhere.
We designed a security protocol to comply with GDPR
Our client took a very serious approach to GDPR compliance to be able deliver its services to European customers. They brought on a dedicated in-house Data Protection Officer to check all steps of compliance with GDPR standards. From day one of our cooperation, Intellias has been covering the entire engineering process for our client’s MS Azure-based eLearning platform, so we were assigned to develop a GDPR security protocol for this product.
Our main task was to follow all GDPR requirements and implement all necessary steps to comply with security standards.
Goals and achievements
- Define personal data. We needed to clearly define which data collected on users should be considered personal data and in what situations this data is protected under GDPR. We consulted with legal professionals on this issue and defined personal data as any data that identifies a person. To apply GDPR rules, we chose to use IP-based location identification. If a user is located in Europe, we apply all necessary procedures. We also considered the particular case when a user works via VPN from another country but has an IP address assigned in Europe. To account for this possibility, we decided to always provide users with an option to confirm their location manually. A user will see a pop-up screen with information about their location and then have the choice to agree or disagree to further GDPR procedures.
- Get consent for data collection. We needed to get clear consent from users to collect personal data such as first and last names, job positions, email addresses, photos, and IP addresses. This consent must be seen at every touchpoint where users interact with the client’s solution and can give data about themselves. A particular use case was developed for users ages 13 to 16 as they need permission of parents or another responsible adult to share their personal data. This case was not applicable for our client, though, as they provide services only to enterprise employees who strictly must be older than 16. Still, we needed to make sure to comply with all standards and included a special scenario for this particular age group.
- Communicate users’ rights. We needed to communicate to users their rights to have their personal data deleted, to access their personal data, to change it, to request a report on what data has been collected, and to be forgotten and stop collection of data. Ensuring these rights is essential for compliance, and we needed to handle all of these requests by users within the following time frames: 72 hours to notify users about possible data loss, 72 hours to answer enquiries regarding personal data, and 30 days to delete all data.
- Privacy by design and data portability. We developed a system of reports that gather all collected information on users including personal data they share in their user profiles and their log stories. These reports provide a much easier way to view data after each particular enquiry from a user. They also improve the portability of data by putting all user data in one place. This allows for a quick response when a user requests to download all of their data. We incorporated production of reports into the solution architecture.
We’ve achieved great results together
We divided the process of GDPR compliance into two phases. The first phase was more urgent, as it dealt with things that were obligatory for further operation in the European Union market. The second is a process of continuous improvement to optimize processes related to user data. The first phase has already been completed. During that phase, we implemented the following measures:
- Created an MS Azure-based engine to generate reports on all user data at every touchpoint with client services
- Created an automated algorithm to delete data upon user request, including log data
- Designed a custom UI for interacting with users on matters related to privacy
- Added admin functionality for customers to be able delete their employees’ data
- Set up a system of notifications for admins on the end-customer site about users’ activities in regard to data operations
- Synchronized all touchpoints to send updated terms and conditions even if a user has approved a previous version of the terms and conditions
- Implemented a monitoring system to detect expired customers who have not prolonged their license for the client’s product in order to delete their data automatically
Now we’re going through the second phase. We’re working on a more insightful view for users on what data is being collected. Specifically, we’re preparing comprehensive reports with dashboards and diagrams to visualize data for users in order to give them a better understanding of how their data is used by our client.