Moodle’s GDPR approach and plan
December 21, 2017
Here we outline Moodle’s approach and plan for the implementation of support for the EU General Data Protection Regulation (GDPR).
Our work to date
Earlier this year we reached out to the community through our forums and social media to gauge the needs of different organisations on how they would need to comply with GDPR. We received direct input from a number of Moodle institutions, our Moodle Partner network and developers.
During the summer (northern hemisphere) we put together an initial plan on what developments are needed to enable organisations using Moodle to comply with GDPR and then sought more feedback. In the last few months we have processed this feedback.
We have also engaged a specialist lawyer from Europe on a consultancy basis who has a strong background in data protection and data privacy to examine the specifications and make recommendations on where they can be improved to better enable organisations to be GDPR compliant.
We now have a plan to meet those needs and are scheduling the development within our Open Source team under the lead of Sander Bangma, our new Open Source coordinator.
We have a set of features now in development which will meet those compliance needs covering the following areas: onboarding of new users, privacy statements, the tracking of consent and handling of subject access requests.
The features will initially be implemented as plugins, with the following functionality:
1. The onboarding process of new users, including:
- Displaying all required privacy statements
- Listing and requesting consent for all 3rd-parties who may receive user data
- Establishing a process for consenting minors
- Capturing and recording each specific consent given by a user
2. Processes to comply with subject access requests (SARs), for a particular user, including:
- A request to retrieve all user data on Moodle
- A request to erase all identifiable user data on Moodle
- A request to modify user data
We will be releasing these plugins, scheduled for March 2018, which will enable those using Moodle 3.3 and 3.4 to become compliant with the new regulations by installing and configuring the plugins in addition to implementing the required organisational procedures and processes.
These features will then become part of Moodle 3.5 release which is a Long Term Supported (LTS) version of Moodle.
What to do now?
If you are not on Moodle 3.3 or above we recommend you upgrade before the end of February 2018. This will enable you to install the plugins. We are currently reviewing in what form we will offer a solution for Moodle 3.2 and below.
If you are on Moodle 3.3 or above you should make sure that you update to the most recent version of these releases.
Installing the plugins alone is not going to be enough to meet the GDPR requirements. Correct configuration and implementation of the required processes and procedures is also required and you should engage with your IT and legal department on what is required.
If you need help with your upgrades from our Moodle Partner teams or for installing and configuring the plugins please get in contact at moodle.com/partners