Continuing education providers might not be have been aware that May 24, 2018, was one of the biggest email volume days ever recorded. But many knew that the EU’s General Data Protection Regulation (GDPR) became law the next day.
Much of the email volume on May 24 was privacy related, says Carly Brantz of SendGrid, the email service provider that reported the unusual volume. Included in those emails were notifications from U.S. providers of continuing education, which are not exempt from the European regulation. Many have been updating processes to stay in compliance with the regulation.
U.S. Scope for a European Regulation
Providers of continuing education in the health professions usually welcome international participants. Even those who don’t actively attempt to recruit attendees from the EU often have visiting professionals attending their events.
The GDPR states that organizations in other countries must be in full compliance when personal data of an EU citizen is involved. So unless the provider is prohibiting EU citizens from participating in educational activities, those organizations are in scope for GDPR compliance.
Noncompliance could be expensive, with fines of up to 20 million euros, or 4 percent of total revenue, whichever is higher.
Compliance for Providers of Continuing Education
So what does compliance mean for CE organizations? It depends on the size and type of organization, but three key elements are, 1) the right to be forgotten; 2) the right to access; and 3) explicit consent.
Michael Fletcher, director of information technology at the Endocrine Society, spent months preparing for the deadline with his team. Ten percent of the society’s membership lives in the EU, and a total of 45 percent are international.
Fletcher said a big challenge was consolidating data so that the Endocrine Society can comply with the right to be forgotten and the right to access.
“The education department specifically has tracked a lot of information in decentralized ways, for example spreadsheets. I know that I can’t prevent people from downloading records. And we can’t wipe data off every spreadsheet without destroying other data. So we are training the staff, and we talk about it every month. Pull only the data you need,” Fletcher said.
Patricia Merry, director of public information at University of Washington Continuing Nursing Education, had to prepare alone. With a small team and university policies not yet ready, she looked at what Mailchimp and other marketing technology companies were doing.
She discussed requiring sending out an email to refresh the opt-ins, she said, “but we’ve always had that. So we sent an email saying that our policies were updated and asked people to review them.”
For other marketing lists we’ve purchased, “we decided not to use them anymore because it might be a policy violation,” Merry said.
Rethinking the Collection and Storage of Data
The bright side of GDPR for Fletcher is that it has made the Endocrine Society think about privacy by design.
“We’re looking at all these decentralized data stores where they have data stored and thinking, ‘how can we get that inside our core AMS system so we can centralize it and make it easier to clean?’ It’s much easier if you design your processes to be centralized to begin with,” Fletcher said.
Merry agrees. Her department spent time streamlining their data collection forms. “It really made us think, ‘why are we collecting this data?’” she said.
A Business Relationship With Participants
Another principle of the GDPR is the concept of a pre-existing business relationship. The GDPR allows for marketing to EU citizens without explicit consent if a relevant relationship already exists. Many organizations are relying on this concept to manage consent.
For example, at the Endocrine Society, many participants in educational activities are members and have a relevant business relationship with the Endocrine Society. In this case, according to Fletcher, GDPR allows for email marketing to those EU members without prior consent.
At another leading academic health system that asked not to be identified, the relevant relationship was determined to only apply to activities for which the attendees had already registered. The health system’s legal department determined that they could market to those attendees regarding that activity, but could not do marketing for other activities without explicit content.
Another concern for accredited providers is what to do if the GDPR conflicts with accreditation requirements. For example, the Accreditation Council for Continuing Medical Education (ACCME) requires education providers to be able to verify participation for six years from the date of the CME activity. What should happen if an attendee to an ACCME-accredited CME event invokes their right to be forgotten?
Graham McMahon, MD, MMSc, president and CEO of ACCME stated, “We understand the concern of accredited providers regarding their potential obligations under the newly implemented General Data Protection Regulation. However, compliance with the new EU-mandated regulation would not put an accredited provider at odds with the ACCME’s accreditation requirements.”
McMahon continued, “The ACCME requires that providers ‘must have mechanisms in place to record and, when authorized by the participating physician, verify participation for six years from the date of the CME activity.’ If a learner requests that their participation record not be retained or be erased, that would be acceptable to the ACCME.”
For the Endocrine Society, records will not be erased, but rather, anonymized.
“Our plan is that if a request comes in, it goes out to all staff and we look at activities that person was in, and if it’s something governed by ACCME, we have processes to anonymize the record. Name, email, personal information is replaced with ‘GDPR,’” Fletcher said.
For providers issuing Maintenance of Certification credit, learner data may be shared with ACCME for reporting to the appropriate board via ACCME’s Program and Activity Reporting System (PARS). Regarding that personal data McMahon said, “As part of this process, accredited providers must obtain permission from learners to share data about their activity completion with the ACCME and the certifying board.”
Both the Endocrine Society and the University of Washington Continuing Nursing Education continued their daily operations without disruption thanks to advance planning. However, the impact of personal data regulations has not fully hit continuing education organizations.
Other majors providers of continuing education contacted for this article are still waiting for direction from their privacy officer or IT directors and had not yet taken any steps to change current marketing practices.
And while many continuing education providers are small targets with a small risk profile, others, especially those connected with larger institutions, may be at higher risk.
Regardless of the risk, privacy compliance can’t be ignored. The California Consumer Privacy Act of 2018 takes effect in 2020 and is bringing many of the same concepts contained in the GDPR to Californians. GDPR is just the first in what seems likely to be a continuing trend toward ensuring consumer data rights.
Ezra Wolfe is the chief technology officer of DLC Solutions LLC and directs the design and production of EthosCE, the leading learning management system for continuing education in the healthcare professions. Ezra has 20 years of experience in continuing professional healthcare education and e-learning technology. His background includes editorial design and journalism, and he has previously worked as a designer and art director before moving into technical leadership roles. Ezra holds a bachelor's degree from Syracuse University and a Master’s from the University of Kansas. He is also a member of the Almanac Editorial Board.