Skip to main content

THE GENERAL DATA PROTECTION REGULATION (GDPR)

GDPR stands for the General Data Protection Regulation. The GDPR is the new European Union (“EU”) law that regulates the personal data of individuals in the EU. It will replace the EU Data Protection Directive, the EU’s current privacy law, which has been in place since 1995. The GDPR harmonises data protection law across Europe and introduces sweeping changes that require companies to make significant updates to their privacy and security policies and practices.

Instructure is committed to helping our customers comply with GDPR.

WHEN WILL THE GDPR BECOME ENFORCEABLE?

The GDPR will become enforceable on May 25, 2018. At that time, companies are legally required to comply with the GDPR.

WHAT DOES THE GDPR APPLY TO?

GDPR applies to the personal data of individuals in the EU. Personal data is defined as any type of information that identifies or can be linked to an individual. In addition to the usual types of personal data (i.e., name, address, phone number), this definition can also include information such as an IP address or device identifier. The GDPR requires entities to handle personal data in specific ways and gives individuals new rights related to the processing of their personal data, among other obligations.

OUR PLANS FOR GDPR

Instructure has robust plans to comply with the European Commission’s replacement law for the Data Protection Directive 95/46/EC, the General Data Protection Regulation (“GDPR”), by the enforcement date (25 May 2018).

To ensure GDPR readiness by the enforcement date, Instructure is currently:

  • Educating the organisation about GDPR and its requirements.
  • Conducting a GDPR gap analysis with the help of a reputable outside law firm experienced with GDPR.
  • Documenting the personal data Instructure holds, where it came from, and who Instructure may share it with.
  • Reviewing current privacy notices and making any necessary changes in time for GDPR implementation.
  • Ensuring existing procedures cover all the rights individuals have under GDPR, including deleting personal data.
  • Identifying our lawful basis for processing personal data, documenting it, and updating our privacy notice to explain it to individuals.
  • Reviewing how Instructure obtains, records, and manages consent.
  • Reviewing and updating contracts with third parties to ensure our privacy obligations are up to date.
  • Ensuring the right procedures are in place to detect, report, and investigate a personal data breach.
  • Creating processes for Data Protection Impact Assessments.
  • Analysing our obligation to appoint a Data Protection Officer.
  • SAFEGUARDS FOR CROSS-BORDER DATA TRANSFER

    One of the GDPR’s requirements is that any personal data transferred “cross-border”, i.e., outside of the EU, can only be moved pursuant to a legal mechanism. The Privacy Shield Framework is one legal mechanism to make these cross-border data transfers to the United States legitimate. Instructure self-certified under the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield in November 2017 and our certification remains in good standing, which helps us comply with this requirement of the GDPR.

    Instructure also uses the European Commission’s Standard Contractual Clauses (model clauses) as an alternative, lawful method to transfer personal data outside the EU. By incorporating these model clauses into Instructure’s Data Processing Addendum (“DPA”), both data controllers (Instructure’s EU-based customers) and data processors (Instructure) are contractually obligated to certain technical and organisational safeguards relating to individuals’ (Instructure’s EU-based customers’ end users) privacy rights.

    DOES INSTRUCTURE ANTICIPATE ANY MAJOR CHANGES TO ITS PRACTICES AS PART OF ITS COMPLIANCE WITH GDPR?

    Instructure has always taken privacy seriously. We have a longstanding practice of undertaking internal privacy assessments of our products and of adopting a “privacy by design” approach to product development. We are building our GDPR compliance efforts on this foundation, including by defining procedures to cover all rights individuals have under GDPR. In addition, Instructure is in the process of analysing our obligation to appoint a Data Protection Officer to oversee our internal “privacy by design” efforts.

    OTHER QUESTIONS?

    Please contact us at privacy@instructure.com for more information.