Thinking about data protection not only on the home stretch

Whether you take a strict or lenient approach to it – data protection is an ever-present topic in the EdTech industry. “Rightly so,” says data protection expert Daniel Lohninger. The internet activist specializes in state surveillance and data protection in the education sector at epicenter.works, the Austrian civil liberties organization for digital security and data protection, and he is also the CEO and founder of the educational branch of the NGO epicenter.academy. “Especially when it comes to data of children and teenagers. They are particularly vulnerable because the consequences of data storage are not yet fully foreseeable for them, and in school, they often cannot decide for themselves which tools they use.” We have taken a closer look at what entrepreneurs should pay attention to in order to handle data responsibly.

Data Protection Law – the GDPR

First of all, this article does not replace professional legal advice. Nevertheless, we want to provide you with an initial insight into the topic. Data protection has been a relevant issue not only since the General Data Protection Regulation (GDPR), which has been in place for five years now. This fact is pleasing to many, including Daniel, who sees this European regulation as an international model example for taking a step towards uniform data security: “If companies would comply with the GDPR, we would have far fewer problems. Unfortunately, too many handle the data they collect negligently.”

Therefore, here are the most relevant points of the GDPR for EdTech companies:

• Consent: Before collecting data, the data subject must give their permission. This consent must be voluntary and based on understandable information about the purpose of collecting this data and how further processing will take place. This also includes information on how long the data will be stored. Companies must disclose this information in their privacy policies and terms of use.
• Rights: Users have special rights, such as the right to information, correction, deletion, and restriction of processing or portability. Entrepreneurs must guarantee these aspects.
• Data Minimization: According to our data protection expert Daniel, one of the most important points for EdTech companies from the GDPR. This means that only the most necessary personal data should be collected. More on this under “Privacy by Design”.
• Technical Security: To ensure data security, the necessary technical and organizational security measures should be in place. These include data encryption, access controls, or regular security checks.
• Data Processing Agreements: When external service providers are commissioned to process personal data (such as cloud providers), appropriate contracts must be concluded. For the transmission of personal data outside the European Economic Area (EEA), protective measures such as standard contractual clauses or binding corporate rules apply. The Austrian Economic Chambers (WKO) provides a template for a data processing agreement.
• Data Protection Impact Assessment: Especially when developing EdTech programs that are based on new technologies or process sensitive data such as ethnic origin, disabilities, medical needs, mental health, religious affiliation, or even biometric data such as fingerprints, facial or voice recognition, a data protection impact assessment is advisable. This involves assessing potential privacy impacts and taking measures to minimize risks.
• Data Protection Officer: If possible, there should be someone on the team who takes care of data protection. They should ensure compliance with data protection regulations and serve as a point of contact. This can sometimes be challenging in schools because this responsibility lies with the school administrators, who often lack specific training.

Privacy by Design

Privacy by Design is a principle that considers data protection and privacy from the very beginning of the technology design process. Protective measures are taken during the development of technologies, systems, or services, rather than adding them later. If data protection is already embedded in the initial stages of ideation, risks can be identified early on and ideally avoided.

In general, this means collecting as little data as possible, only those that are essential for the process. Users should be informed about this and have control over their data. This includes the possibility of withdrawing consent for data processing, correcting their data, or deleting it altogether. All of this ultimately requires raising awareness of data protection and privacy among all employees of the company and incorporating it into the company culture.

Interview with Daniel:

What is your top tip for handling user data responsibly?

In addition to Privacy by Design, it is also about avoiding large monopolies when data must be stored or processed for important purposes. Because if it is primarily about profit and data collection, data security is often neglected. It is best to rely on local solutions and open-source solutions hosted and developed in Austria.

Do you have a best practice for building privacy-friendly digital developments?

I believe the Stopp Corona app has demonstrated how responsible handling of user data can look like. Under our advice, it was decided to process the data about meeting times – when and with whom someone met – anonymously through a decentralized system. The app generated random numbers instead of specific personal data. This was extremely privacy-friendly, as no personally identifiable data was stored centrally.

What is your vision for data protection in the near future?

I would like to see a shared, open-source software and more European cooperation to create an alternative model to the big monopolies. Something that is not purely capitalist. A model that we can use based on our ethical principles and in compliance with data protection in the European region. I believe that this could be easily exportable – just like the GDPR has spread to South America, Africa, and Asia, as demonstrated by countries like Brazil, Kenya, and Japan, among others.