In May 2018, the European Union implemented GDPR (General Data Protection Regulation). This legislation mandates data protection and privacy and impacts citizens globally. Credly’s chief of staff and general counsel, Daniel Doktori, explains what this means to Credly users, and all internet users in general.
Listen to the full interview here:
Susan Manning: Welcome to the Credly podcast where we touch base with our issuers, earners and partners, and explore themes of interest in digital credentialing. I'm Susan Manning.
So today I'm talking with Daniel Doktori, our chief of staff at Credly. And we're going to talk about laws, but Daniel is going to make this very interesting for us. So first of all, welcome Daniel.
Daniel Doktori: Thank you Susan. I'm so excited to join you. I feel like you're like Ira Glass from This American life. It's good to be in the company as all the others that you've interviewed. So thanks for having me.
Susan Manning: You're welcome. And I use this time to sort of unpack issues that affect digital badging and because we really are dealing with data, we've got to look at recent changes in data laws, specifically GDPR. So we're going to look at this. What does GDPR stand for?
Daniel Doktori: Sure. For GDPR stands for the General Data Protection Regulation. It came into effect back in May of this year. And it's an EU wide regulation.
Susan Manning: So Europe decided to create some additional legislation around how companies work with data, correct?
Daniel Doktori: Sure. So I'll give you a little breakdown. So basically the GDPR is kind of a maturation of a previous set of privacy laws across the EU. So individual member states still have their own national privacy regimes, but GDPR kind of sits on top of those and acts as a minimum standard. The purpose of the GDPR was really to protect EU citizen data or data that is passing through the EU. It kind of responds to a new world in which we're all living where we think about something like Amazon or Google or Facebook and we've come to realize that as much as those companies are providing a variety of services at their core these are really data company. And they know a lot about the data that we've given them.
The GDPR is really meant to give you some protection and some control back to individual, what they call data subjects so that now we can have a little more control about where and when our data is used and also give us an ability to change our mind in the future in the event that we no longer want our data used for a particular purpose.
Susan Manning: How would I know if my data is going through the EU? Would I know that?
Daniel Doktori: So the interesting question, and I think kind of your question is speaking to kind of what the practical realities of the presence of an EU regulation and what that means for us as individuals living in the US or as the company that's based in the US. And so even though you may, so you may remember that a couple of months ago you were getting emails from basically every website you've ever visited that was informing you that we've updated our privacy policies, please check them out. Or if you visited the website itself it notified you of that. That was because of the GDPR.
And so the presence of a you wide regulation and the fact that all business in particular, internet based businesses really have a worldwide territory these days. So you asked how do I know whether my data is going through the EU? It's really more a question of if the websites you're visiting are doing business in the EU, and most likely they are, they've probably had to change their policies and their procedures to comply with the EU requirements. So even though your data may not pass through the EU, you may get some benefit because of the changes in the policies and procedures of that company.
ow technically you as an individual, as a US citizen, you're not actually covered by the GDPR. And it's possible that a website or a service that you use does not treat EU citizens and US citizens the same and says these additional protections are limited to our EU citizens. That's possible, but it's actually easier and I can tell you from a credit perspective, it's what we do. We're basically changing our procedures in a way that helps all of our users.
So the GDPR from a data subject, from an individual point of view, is kind of like the tide that rises all boats.
Susan Manning: Interesting. So I have data. I'm an individual. Maybe I have an account with Credly. What do I need to know about this? How does it impact me?
Daniel Doktori: Sure. So I mentioned just previously that the GDPR is in some ways a tide that rises all boats and so that's true here and basically Credly has implemented a variety of policies and procedures to ensure compliance with the GDPR. It's kind of a long list, but a couple of key concepts that are truth for Credly and for for any similar service. One was minimum data security requirements. So there is an oft repeated line from the GDPR about companies needing to take appropriate technical and organizational measures to protect personal data. This has been a commercial imperative for Credly for a long time. Our customers demand to know that we're going to keep their confidential information actually confidential.
But now there's a a higher level of a legal requirement as well. And the penalties for failing to do this or for failing to comply with the GDPR in general are really quite extreme. There in some cases, up to 4% of total revenues of a company. So really we're talking significant potential penalties. So minimum data security requirements as one example of one of the things that we examined to make sure that we were compliant with the requirements of GDPR.
A second key thing that you want to be thinking about as an individual visiting Credly or visiting any similar service is the concept of informed consent. So as a general matter, consent solve a lot of legal issues on a theoretical level. If you tell someone what you're going to do with their data and they say okay, then the processor of that data is on good legal footing. But GDPR kind of changed the stakes in terms of what consent means.
Consent under the GDPR needs to be, and another kind of famous line from the GDPR, I guess famous is dependent on your perspective, but the consent needs to be freely given, specific, informed and unambiguous. That's kind of a much higher standard than what we used to see in the old days where there was some little line in the corner of the website that said by visiting his website you're agreeing to our terms of service, right? So that doesn't fly anymore.
Susan Manning: And I will add from an Credly employee standpoint that we've all gone through data privacy and security training. I'm looking forward to my badge that proves this. So it is documented, right?
Daniel Doktori: Absolutely. Yeah. That was one of the things that we did as a company. One of the requirements is that we will have certain policies and that we ensure that our employees and our team members are complying with those policies. So one of the things we did there was to implement the training program.
Susan Manning: Right. And I think that we were pretty good on privacy and security concerns, but it's nice to be reminded of what's expected on a daily basis in terms of keeping our customers safe.
Daniel Doktori: Well, that's kind of the core point and I'm glad you raised that. So the of purpose of the GDPR is very consistent with the mission of Credly long before there was a GDPR. From day one we've been focused on giving individual credential earners control over their own achieved. The reason Credly exists is because you go through your life and get recognized for all these different things. But those achievements often get locked away and the registrar's office or in the learning management system that you had at your last company or in the HR department that you had three jobs ago. But in this new world and the world is changed by digital credentials now you Susan are carrying all those achievements with you and able to access them at any time.
So the GDPR is meant to kind of mimic that on a larger scale that says now you own your data and you choose to make that data available to different companies because lots of benefits come from being making that data available. We've all had that slightly scary, slightly cool experience of having searched for something somewhere and then all of a sudden you start seeing ads are super tailored to the thing that you looking for. And you're like, gosh, who's been reading my email? But it's the data at work.
And so sometimes sharing our data, it improves our lives. But just like on Credly, you can also change your mind. You can make any individual credential private that once was public or turn a credential that is private public itself. Or you can manage your account, you can share any individual credential on different types of platforms. You can delete credentials. You can delete your whole account. And you can do that at any time.
And so basically what was already true in Credly is now becoming required by law in a general sense under the GDPR. So it was a welcome change for us. We had to make some minor changes in terms of processes internally but as a service, in a what we do fundamentally, we are fundamentally compliant with GDPR. And were from day one.
Susan Manning: Well thank you for unpacking this with us Daniel. You did a good job of not just sounding like a lawyer. I appreciate that.
Daniel Doktori: Thank Susan. Thanks for having me on. It was awesome.
Susan Manning: Sure.
Thank you listeners for joining us. If you'd like to suggest upcoming topics, feel free to write us at firstname.lastname@example.org.