Security for Blackboard Learn

Strengthening Our Data Privacy Program With Binding Corporate Rules


One year after the EU General Data Protection Regulation (GDPR) came into effect, Blackboard continues to strengthen its data privacy program. On 10 May, we submitted our Binding Corporate Rules (BCRs) for authorisation to the Dutch Data Protection Authority (DPA). This is an important achievement for us and our clients since the BCRs are considered the most robust and effective EU data transfer mechanism. Fewer than 140 companies have implemented BCRs to date and, to our knowledge, no other Education Technology company / LMS provider has taken this step.

Once we receive the authorisation from the Dutch DPA, the BCRs will allow us to transfer EU personal information within our group of companies to countries outside the EU/European Economic Area (EEA). Blackboard’s BCRs apply to both client personal data and Blackboard personal data. 

BCRs seemed the obvious next step for us in our ongoing efforts to provide our clients with the most effective protection of their personal information. Implementing the BCRs is easy for us as we are able to build on our strong data privacy program with its governance structure and processes. Since the BCRs not only require steps to protect transferred personal information but also impose strict requirements on a company’s data privacy program, our BCRs will provide additional assurance to our clients about the strength of our data privacy program.

The BCRs are just one of the many enhancements we have implemented in the last year. Earlier this year, we formalised our data privacy audit process and are currently conducting our regular data privacy audit to this new standard. To ensure close coordination between the security and privacy teams and senior management visibility of security and data privacy risks, we merged two separate forums into the new Security and Data Privacy Risk Council which reports to the Compliance Committee. We also started our implementation project for the California Consumer Privacy Act (CCPA) which will come into force on 1 January 2020 and later this year we will be releasing updated versions of our master agreement and data processing addendum with improved language for our clients.

Until the BCRs are authorised, we will continue to rely on our EU-US Privacy Shield certification in combination with our Intra-Group Data Transfer Agreements to adequately protect transferred EU personal information and to comply with the GDPR data transfer requirements.

You can find more details on our BCRs on the Data Privacy and Security Community site.