If the UK GDPR regulations are the highest standard and most stringent privacy legislation in the world… how is it that so many proctoring companies claim compliance?
They can claim GDPR compliance because such a claim is not subject to third-party verification. Most proctoring companies are either registered in the United States or are foreign companies subject to the US Patriot Act. Data protection laws in the 27 countries of the EU all prohibit the disclosure of personal data without a data subject’s consent or knowledge, and yet the Patriot Act gives the US Government the ability to compel such data sharing without this consent.
Aware of this conflict between the US Patriot Act and the GDPR, many organizations try to address client/user concerns by demonstrating that they are “certified” under the United States Privacy Shield program.
What you might not know is that organizations are actually “self-certifying” by filling out a short questionnaire and making a payment of one thousand dollars to the U.S. International Trade Administration (ITA). (And that’s only if the business has annual revenue over $25 million. The smaller the revenue, the smaller the fee.)
The ITA states on its website that it is “important for both businesses and consumers to understand that Privacy Shield does not prevent the US government or law enforcement agencies from requesting data.”
In fact, on July 16, 2020, Europe’s top court invalidated the EU-U.S. Privacy Shield, stating that the Privacy Shield transfer mechanism does not ensure compliance with the level of protection required by EU law.
The conclusion? Be wary of any US-based company that claims GDPR compliance... and even more so if they retain and share user identification credentials.
Integrity Advocate’s claim of GDPR-compliance is based on the same Privacy by Design architecture that was also the basis for the GDPR legislation. All data is hosted in GDPR designated jurisdictions, out of reach of jurisdictions with governments requiring access to the data. Not only that, but Integrity Advocate only collects the data necessary to confirm a learner’s identity and compliance with exam rules, most of which is automatically deleted after 24 hours.
Get in touch today to learn more, or to request our GDPR Compliance Brief.