One of the biggest changes in data privacy regulation goes into effect on May 25, 2018. To strengthen the security and protection of EU citizen personal data, the European Union will require businesses who collect and handle an EU citizen's personal data to comply with the General Data Protection Regulation commonly referred to as GDPR.
Pluralsight's mission is to create progress through technology that lifts the human condition. Central to that mission is our commitment to be transparent about how we protect our customers's data. We recognize the trust and responsibility granted to us and we will be ready for the GDPR by May 25, 2018.
Along with updating our own internal business processes to be ready, here is how we'll support our business customers with the GDPR:
- As one of your data processors, we will ensure compliant data processing controls and will reflect such controls in updated agreements with our customers and vendors.
- We are building new product capabilities and processes that allow us to quickly respond to request to erase or access user data.
- We are also refining how we gather and track consent to perform certain types of data processing.
Data Processor Responsibilities
As a data processor and as outlined by the GDPR, we are committed to providing our customers with:
- An updated Data Processing Agreement (DPA) that reflects the requirements of the GDPR and ensures compliant data transfer and storage outside of the EU.
- Technical and organizational security measure to secure data in transit and at rest as well as continuously monitoring for intrusions.
- Prompt notification of breaches involving customer data.
Though the GDPR is not yet in effect, Pluralsight already enables several of the requirements included in the Regulation, including these capabilities:
- Right of Access: All users have a right to access their personal data and may do so from their account profile.
- Right of Rectification: All users have the right to correct any personal data that is inaccurate or incomplete. Corrections may be made by a user in the account profile or by contacting Pluralsight support.
- Right to Data Portability: In addition to being able to get all learner data from within the account, learners may request their data by contacting Pluralsight customer support.
- Data Transfer: Pluralsight's platform is hosted on servers in the United States. We ensure the EU citizens can use Pluralsight and be compliant with the EU rules on data transfer under both the 1995 Directive and the GDPR by participating in the EU - US Privacy Shield Framework.
To comply with specific user rights and processor obligations outlined in the GDPR, we are developing new capabilities that will be available to all Pluralsight customers in early 2018:
- Clear Transparency and Consent: Upon account creation, the notification that learners receive regarding the data we collect and the purposes of collection will be updated to be GDPR-compliant. Additionally, learners will have to "opt-in" to receive specific types of communications. After an account is created, learners will have the ability to easily change those preferences regarding communications in the account profile.
- Support for Erasure Requests: We are making it easier to honor requests to be forgotten by adding a "close account" feature. When we receive a request to delete an account, all personal data associated with that account will no longer be retrievable.
At Pluralsight we are committed to maintaining an effective security and privacy program. We are dedicated to ensuring customers have the highest confidence in our data protection practices and see GDPR as an opportunity to strengthen this devotion.