GDPR came and went: how it impacted our products

At Rustici Software, the General Data Protection Regulation (GDPR) came at an ideal time for us to complete a self-review of our data privacy (see our official description of what we’ve done here). Our tools can be many things to many people, with each product having its own set of data privacy scenarios to think through. GDPR pushed us to take a close look at each of our tools, improving them as we found things that could be better. We began this process thinking we were doing everything already, only to discover ways to build better tools.

Of course we went through the normal process of evaluating our company-wide privacy policy and made some small changes. We were proud that we already valued our customers’ data as their own, never shared it out with a third-party for commercial gain and took every reasonable step to keep data secure. We’ve participated in Safe Harbor and Privacy Shield certifications in the past, which guided our existing policies. Nevertheless, we tweaked some internal policies and improved our stance. We also put some GDPR-required Data Processing Addendums in place for all the tools we use and with customers who rely on our hosted tools.

SCORM Cloud:

Our SCORM Cloud product was one of the first places we looked. Since its creation, SCORM Cloud has grown to launching over a million new courses each month. SCORM Cloud offers four ways to invite a learner to take a course, so we thought through GDPR implications for each. We’re grateful for our SCORM Cloud user base, who carefully considered our platform’s impact on their GDPR obligations and worked with us to get the right tools in place. The GDPR had an impact on each of these invitation methods.

Public Invites:

These invites provide a simple link that allows easy entry to a course. We needed to provide ways to delete the information that this method creates. While SCORM Cloud does not capture much, we do capture First Name, Last Name, Email Address, Quiz and Assessment Data, as well as xAPI Statements. We determined that it was too hard to delete this data, when requested to do so. We built tools to make this data management and deletion much easier; we wanted to make it easier for our SCORM Cloud customers to manage the GDPR data deletion requirements. You can review these PII deletion tools here.

Private Invites:

These invites provide a direct email to allow a learner to take a course. We also needed to provide ways to delete the information that this method creates. Again, while SCORM Cloud doesn’t capture much, we do capture First Name, Last Name, Email Address, Quiz and Assessment Data, as well as xAPI Statements. We determined that it was too hard to delete this data, when requested to do so and we built tools to make this data management and deletion much easier. You can also review these PII deletion tools here.

SCORM Cloud Dispatch:

SCORM Cloud Dispatch is a popular way to help content creators control their courses inside a third-party LMS. Dispatch provides six benefits to a course owner, who needs their content to play nicely inside nearly any third-party LMS. Since Dispatch has the potential to capture some learner’s personally identifiable information (PII) we have added a tool that can anonymize the PII learning data. This tool can help meet a content owner’s desire to control courses, without giving up their GDPR obligations. We’ve also added in an optional tool that will display a privacy policy at the bottom of the SCORM player window. Now using Dispatch can still be possible in an GDPR compliant environment. Dispatch users can learn more about our PII blocker here.

SCORM Cloud API:

Many of our SCORM Cloud’s integrations are purely API based. In order to support these customers, a new API has been added that makes the data delete operations available, in order to help our customers meet their GDPR obligations. Using the API, you can identify a learner ID (or xAPI Actor) and request SCORM Cloud delete all data about that learner from our system. The developer’s documentation for our PII and GDPR learner deletion tools can be found here.

SCORM Engine:

The cornerstone of our ability to help the eLearning industry “play nice” with one another has been our SCORM Engine. This application is relied on by hundreds of learning platforms and LMSs throughout the world. It was critically important that we provide tools within the SCORM Engine to help our customers more easily meet their platform’s GDPR obligations.

Engine now features the ability to delete learner data, via new API calls. We released this API enhancement as an Engine 2017.1 maintenance release. Additionally, we’ll be introducing a user interface for performing the same ‘learner delete’ operations as part of our Rustici Engine 2018.1 release. Existing Engine customers are encouraged to simply upgrade their Engine application to enable the latest GDPR data management tools. We’ve also added the ability for customers to have a privacy policy optionally displayed at the bottom of the SCORM Player window.

Content Controller:

Much like SCORM Cloud Dispatch, Content Controller needed some tools to make managing GDPR obligations easier. Upgrades were done to make sure Content Controller users aren’t tracking personal data for training when utilizing Content Controller to launch training through other LMSs. Content Controller customers now have the ability to enable one-way hashing of learner identifying data captured through various learning standards. When this option is enabled Learner Identifiers and Learner Names will be hashed (SHA-256) in the learner’s browser before that data is transmitted to the application providing the dispatch package. We’ve also added the ability for Content Controller customers to have a privacy policy optionally displayed at the bottom of the SCORM Player window. This guide provides more about PII inside Content Controller.

To sum it up

Nothing with privacy and software is final. Here at Rustici Software, we view data privacy and protection as a goal to continually strive for. The GDPR will most certainly evolve and we intend on doing whatever is reasonable to continue to support customers all over the world, while protecting their valuable data. If you have concerns about our existing tools, GDPR posture, or data privacy policy, please let us know. We’re always willing to take a closer look at our solutions and try to evolve them in new ways.