GDPR update: Teachable’s commitment to personal data privacy

Estimated reading time:

minutes

You’ve probably received handfuls of emails about the EU’s latest privacy law, the General Data Protection Regulation (“GDPR”). This new law comes into effect on May 25, 2018, and was created to protect the individual privacy rights of EU residents. The regulation impacts how organizations of all sizes across the globe collect and handle EU customer data. There’s a ton to cover so, if you’re inclined, we welcome you to read up on the GDPR legislation.

For the last several months, we at Teachable have been working hard to ensure that we’re prepared for the GDPR. In addition to getting ourselves ready, we’re also building tools and processes to help our school owners be compliant.

Note: this article was last updated on May 25, 2018. See full list of updates at the bottom of the article.

What the GDPR means for creators and students

The scope of the GDPR is very broad. Not only does it affect all organizations established in the EU, but it also applies to any organizations involved in processing the personal data of EU citizens, no matter where they’re located, across industries and sectors. As a school owner, you may be wondering if you need to comply with this new regulation. As with any legal matter, we suggest consulting with legal and other professional counsel regarding your compliance obligations.

However, as a rule, if you process any personal data of EU residents—even just collecting or storing their names and email addresses—the GDPR will apply to you.

The GDPR’s main impact on Teachable school owners and their students has to do with:

Processing data requests (“right to be forgotten” and “right of access”)
Freely given consent to send information via email
Handling data sent to third-party services (subprocessors)

It’s important to note that while we’re creating tools to help you be more compliant, there are still responsibilities you have to take on. That’s why we always recommend seeking your own legal counsel.

Tools Teachable is building to help school owners comply

Here are some of the tools and processes that we’re working on to assist school owners in complying with the GDPR.

Native student contact form

We’ve made it easier for students to get in touch with you by adding a contact form in their profile area. This will help facilitate better communication between students and instructors, including with matters of data handling.

Students can access the contact form via their profile dropdown:

Upon clicking, they’ll be brought to the form within their profile area:

When students submit messages, you’ll receive an email and will be able to reply to them directly.

Easily handle student data requests

School owners are responsible for handling student data requests. Data requests can come in two forms:

Right of access (aka data export)
Right to be forgotten (aka data deletion)

While we are still working on building these tools, you will be able to perform either of these actions for a particular student by going into their profile via Admin > Users > User > Information.

From this Information page, owners will be able to export the student data, triggering an email directly to the student. You will also be able to delete the student’s data, which will remove all personally identifiable information from the Teachable platform (student name, email address, IP address, course activity, etc.).

When you process a student deletion request as a school owner, the student will only be deleted from that school (not all Teachable schools they are enrolled in with that email address).

GDPR-friendly consent checkboxes when collecting email addresses

Another change with the GDPR is that you may need explicit consent to email users that sign up to your school. (Here’s an article with more information about GDPR email consent requirements.) The most straightforward way to handle this is to include a consent checkbox that the user must click in order to opt into receiving emails.

On Teachable school sign-up and checkout pages, we have adjusted our checkboxes to collect opt-in consent from students to receive emails, as well as active agreement to Teachable’s and your school’s privacy policies and terms of use.

For example, the checkboxes appear here on a school checkout page:

The checkboxes are also present if the user is creating an account while checking out with a course. Students can change their email preferences at any time from their profile. You can adjust copy for both checkboxes within Site > Custom Text.

Using Zapier (covered below), you can easily filter out users that didn’t consent to marketing emails from reaching your third-party email service provider.

Pass unsubscribe events to third-party services via Zapier

Another major aspect of the GDPR that business owners need to consider is how subprocessors process user data. A subprocessor is a third-party data processor. A common example for school owners could be your email service provider, like MailChimp, ConvertKit, or Aweber.

To help manage the relationship between school data and third-party service providers, we’ll be passing unsubscribe events through Zapier via a new trigger called Student Unsubscribes from Marketing Emails. Zapier is available on Basic plans and higher.

For example, you could use this trigger to set up a Zapier action so that when a student unsubscribes from your school’s email updates, that student will also be unsubscribed from your third-party email service provider such as Mailchimp or ConvertKit.

This way, your students won’t receive further emails from any source, and since it will happen automatically, there’s no hassle for you either.

If you don’t have Zapier or the service you wish to connect with does not, you can also use our new webhook, called User Opts Out of Marketing Emails, to accomplish this.

More info about how Teachable is preparing

As a company that processes personal data from all over the world, we’ve always taken the privacy of our users very seriously. To maintain this standard, Teachable is committed to being fully compliant with the EU GDPR. Below are just several actions we’re taking to ensure we’re compliant with the GDPR.

Consulting legal counsel

Because these matters can be complex, Teachable is retaining outside counsel to review our processes and make sure we’re compliant with GDPR requirements.

Updating our privacy policy

Teachable updated our Privacy Policy to reflect disclosures required by the GDPR. It includes:

More details on the purpose and legal basis for the data processing that we do
Explanation of how we use cookies while providing our services
An outline of the process for users in the European Union to request access to their personal data and to request that their personal data be permanently deleted

Providing a data processing agreement (DPA)

If you are an EU customer, or have students in the EU, and wish to view and/or sign our DPA, please visit https://teachable.com/dpa

Erasing and exporting school owner data by request

We’re designing a procedure for EU users to request an export of personal data collected by Teachable as well as put in a request for deletion of that data. To take either of these actions, please use our help form.

Additional compliance suggestions for school owners

DISCLAIMER: The following suggestions should not be considered legal advice for complying with the GDPR. It is a general explanation that covers the things we at Teachable are doing to help school owners comply. Individual situations may vary. Please consult with an attorney or other legal professional, if you’d like specific advice on complying with the GDPR rules.

Familiarize yourself with the requirements of the GDPR

While there are tons of resources available online pertaining to the GDPR, here are a few in particular the team at Teachable found useful:

Online version of official regulation (gdpr-info.eu)
GDPR Key Changes (EUGDPR.org)
Guide to the General Data Protection Regulation (GDPR) (ico.org.uk)
General Data Protection Regulation (GDPR) FAQs for small organisations (ico.org.uk)

Update your privacy policy and terms of service

This may be a good time to review and update your school’s privacy policy and terms of service—consult with legal counsel.

Review your subprocessors

Similar to reviewing your own school’s legal documents, now is a good time to review which third-party subprocessors you’re sending data to and determine whether these services are compliant with the GDPR.

What’s next?

Over the following weeks, we will be updating this article to reflect ongoing GDPR-related progress on our tools and processes. In the meantime, if you have GDPR-specific questions as a Teachable school owner, please email [email protected].