GDPR and what it means to your training organisation or RTO

Posted by Bruno Cozzi on 07/12/2018

Everywhere you look the term “GDPR” keeps popping up. But what is it, and what does it have to do with your training organisation or RTO?

Figure 1 - Image provided courtesy of: - 15 Essential Facts about General Data Protection Regulation (GDPR)

GDPR: General Data Protection Regulation became mandatory in the European Union on 25th May 2018. It also applies to any businesses wishing to operate in the EU market place or that holds data.

Well that’s Europe, we only operate in Australia, what’s the big deal?

GDPR’s jurisdiction is not limited to within the geographical borders of the EU; instead, it extends to organisations outside of the EU that process EU citizens’ personal data. Whilst this may seem impossible to fully enforce, it means non-European companies that wish to trade in the EU will have to follow the same rules as EU organisations. (Ref: Figure 1).

Can you guarantee that you don’t hold or intend to hold personal data for any learner or employee belonging to a member state of the EU? Example, you don’t have and never intend to have students from any of the 28 member countries that make up the EU? But even if you don’t, GDPR is being recognised as a worldwide personal data protection model that is likely to be taken up in many other countries and regions in the very near future. Our clients in Singapore have already insisted that we update our LMS Contracts and Licenses to include compliance to GDPR. The scope is massive and odds are that sooner or later your business will need to comply. This blog will help you to identify what GDPR is and why you need to know about it.

GDPR in no way contradicts or conflicts with the Australia Privacy Act 1988 or its data breach reporting amendments in Feb 2018. But being GDPR compliant also doesn’t exempt you from your obligations under the act.

What is GDPR?

Being GDPR compliant simply means that you have done everything according to the rules and have taken responsibility to ensure that the personal data you collect or process on behalf of your clients is safe and secure. That sounds incredibly simple when put like that, but as we all know the internet and in particular the “dark web” has become an extremely complex and mysterious place for business to transact these days. As the owner or administrator of a busy training organisation you probably have a million other things to occupy your time than trying to uncover the deep dark secrets of the cyber underworld. So you have very little choice other than to ensure the organisations, vendors and service providers that you rely on to keep your business online and connected are doing their utmost to help you be compliant.

Your organisation interacts with personal data either as a Data Controller or a Data Processor. A Data Controller determines the reason data should be stored or processed. A Data Processor performs the operation of storing and/or processing personal data. Your organisation could be both.

This is a simple checklist of the areas your technical team need to be taking care of.

Your Data:

  1. Your company has a list of all types of personal information it holds, the source of that information, who you share it with, what you do with it and how long you will keep it.
  2. Your company has a list of places where it keeps personal information and the ways data flows between them.
  3. Your company has a publicly accessible privacy policy that outlines all processes related to personal data.
  4. Your privacy policy should include a lawful basis to explain why the company needs to process personal information

Accountability & Management:

  1. Your company has appointed a Data Protection Officer (DPO) – only required in some scenarios.
  2. Create awareness among decision makers about GDPR guidelines
  3. Make sure your technical security is up to date.
  4. Train staff to be aware of data protection
  5. You have a list of sub-processors and your privacy policy mentions your use of this sub-processor
  6. If your business operates outside the EU, you have appointed a representative within the EU.
  7. You report data breaches involving personal data to the local authority and to the people (data subjects) involved
  8. There is a contract in place with any data processors that you share data with

New Rights

  1. Your customers can easily request access to their personal information
  2. Your customers can easily update their own personal information to keep it accurate
  3. You automatically delete data that your business no longer has any use for
  4. Your customers can easily request deletion of their personal data
  5. Your customers can easily request that you stop processing their data
  6. Your customers can easily request that their data be delivered to themselves or a 3rd party
  7. Your customers can easily object to profiling or automated decision making that could impact them


  1. Where processing is based on consent, such consent must be freely given, specific, informed, and revocable
  2. Your privacy policy should be written in clear and understandable terms
  3. It should be as easy for your customers to withdraw consent as it was to give it in the first place
  4. If you process children's personal data, verify their age and ask consent from their legal guardian
  5. When you update your privacy policy, you inform existing customers


  1. You regularly review policies for changes, effectiveness, changes in handling of data and changes to the state of affairs of other countries your data flows to.

Special Cases

  1. Your business understands when you must conduct a DPIA for high-risk processing of sensitive data.
  2. You should only transfer data outside of the EU to countries that offer an appropriate level of protection

Reference: - Provided by: Privacy Radius (Website: In addition to providing this list Privacy Radius offer tools and services to help you manage GDPR compliance.


How does GDPR square with AVETMISS?

This is the million dollar question that we are currently discussing with NCVER. At this point we were unable to find any public statement from NCVER that deals with this question. Yet the very heart of AVETMISS reporting relates to the collection and use of a significant amount of personal data. There are several instances of GDPR compliant colleges that deal with this conflict through the mechanism of consent. That is the college states publicly how personal data is collected and used by NCVER. And the learner consents for his or her personal data to be used in that way.

That’s all well and good, but as a software provider we are not satisfied that NCVER is currently doing enough to protect or prevent the misuse of the personal data that exists in AVETMISS submissions. The fact that this data is collected and distributed in plain text files is itself a privacy issue. More needs to be done to ensure that personal data collected for statistical purposes is transmitted securely via SSL encryption, without manual intervention and conducted by modern secure web services with appropriate authentication.

Until that happens, there is little that a Learning or Student Management System can do to improve the secure transfer of your clients’ personal data.

In the meantime, if you haven’t done so already, at least ensure that your privacy policy is compliant and clearly visible on your website so that your clients can consent to their personal data being used accordingly.

TOPICS Corporate Enterprise Training Web Technologies Security

BOFU CTA Image Place Holder-please add draft copy here  BOOK A DEMO HERE! Click here to request a demo with our Bluegem team now.