THE GENERAL DATA PROTECTION REGULATION (GDPR)
GDPR stands for the General Data Protection Regulation. The GDPR is the new European Union (“EU”) law that regulates the personal data of individuals in the EU. It will replace the EU Data Protection Directive, the EU’s current privacy law, which has been in place since 1995. The GDPR harmonises data protection law across Europe and introduces sweeping changes that require companies to make significant updates to their privacy and security policies and practices.
Instructure is committed to helping our customers comply with GDPR.
WHEN WILL THE GDPR BECOME ENFORCEABLE?
The GDPR will become enforceable on May 25, 2018. At that time, companies are legally required to comply with the GDPR.
WHAT DOES THE GDPR APPLY TO?
GDPR applies to the personal data of individuals in the EU. Personal data is defined as any type of information that identifies or can be linked to an individual. In addition to the usual types of personal data (i.e., name, address, phone number), this definition can also include information such as an IP address or device identifier. The GDPR requires entities to handle personal data in specific ways and gives individuals new rights related to the processing of their personal data, among other obligations.
OUR PLANS FOR GDPR
Instructure has robust plans to comply with the European Commission’s replacement law for the Data Protection Directive 95/46/EC, the General Data Protection Regulation (“GDPR”), by the enforcement date (25 May 2018).
To ensure GDPR readiness by the enforcement date, Instructure is currently:
SAFEGUARDS FOR CROSS-BORDER DATA TRANSFER
One of the GDPR’s requirements is that any personal data transferred “cross-border”, i.e., outside of the EU, can only be moved pursuant to a legal mechanism. The Privacy Shield Framework is one legal mechanism to make these cross-border data transfers to the United States legitimate. Instructure self-certified under the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield in November 2017 and our certification remains in good standing, which helps us comply with this requirement of the GDPR.
Instructure also uses the European Commission’s Standard Contractual Clauses (model clauses) as an alternative, lawful method to transfer personal data outside the EU. By incorporating these model clauses into Instructure’s Data Processing Addendum (“DPA”), both data controllers (Instructure’s EU-based customers) and data processors (Instructure) are contractually obligated to certain technical and organisational safeguards relating to individuals’ (Instructure’s EU-based customers’ end users) privacy rights.
DOES INSTRUCTURE ANTICIPATE ANY MAJOR CHANGES TO ITS PRACTICES AS PART OF ITS COMPLIANCE WITH GDPR?
Instructure has always taken privacy seriously. We have a longstanding practice of undertaking internal privacy assessments of our products and of adopting a “privacy by design” approach to product development. We are building our GDPR compliance efforts on this foundation, including by defining procedures to cover all rights individuals have under GDPR. In addition, Instructure is in the process of analysing our obligation to appoint a Data Protection Officer to oversee our internal “privacy by design” efforts.
Please contact us at firstname.lastname@example.org for more information.