Blackboard Case Study:

How Privacy Compliance Leads to Both Better Protected Data and a Business Differentiator

WireWheel helps companies manage their data privacy practices and comply with data regulations, such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018. WireWheel enables companies to quickly answer the critical data privacy questions by automatically mapping their public cloud assets and facilitating the management of third party relationships. With WireWheel, companies can leverage their compliance obligations to maximize the potential of their data assets and allow privacy priorities to lead to a competitive advantage.

AWS is Amazon Web Services (AWS) is a secure cloud services platform, offering compute power, database storage, content delivery and other functionality to help businesses scale and grow. Millions of customers are currently leveraging AWS cloud products and solutions to build sophisticated applications with increased flexibility, scalability and reliability.

In this case study, we will discuss how Blackboard uses WireWheel and AWS to not only enhance its own commitment to protect privacy, but to enable each of its customers to better protect student data. Blackboard’s innovative approach to privacy extends to ensuring that its customers have easy access to privacy compliance tools and technologies, making the protection of student data a priority for both Blackboard and the learning institutions it serves. In turn, Blackboard’s commitment to privacy and the compliance of its customers has led to more innovation at the company and better alignment with its customers.

1. The Problem

As the leading global education technology platform, Blackboard manages the personal data of millions of students and employees around the world. Leading educational institutions and businesses use Blackboard to help their students and employees manage course selection, grades, and much more. Blackboard gives those constituents access to education technology that the institutions could not possibly manage or develop on their own.

When a customer of Blackboard adopts the Blackboard platform, under the GDPR, the customer is considered the “Data Controller,” or the party that decides “why” and “how” personal data should be processed. Blackboard is considered the “Data Processor,” the party that manages or “processes” the data, and is only allowed to use that data at the direction of its customers. Complicating matters, Blackboard is also a “Data Controller” for the information it collects of its employees and Blackboard may also use “Sub-Processors” (subcontractors) to help it with the work that it does for its customers.

Prior to the implementation of the GDPR, EU law imposed very few obligations directly on the Data Processor. But under the new law, which went into effect in May of this year, Data Processors and their relationship to the Data Controllers that hire them, have become much more regulated. For example:

  • The Data Controller can only use Data Processors that can meet the requirements of the GDPR, typically evidenced by the Data Processor providing a Record of Processing to the Data Controller;
  • The relationship between the Data Controller and the Data Processor must be governed by a contract;
  • If the Data Processor engages a Sub-Processor, it must seek consent from the Data Controller and trickle down its contractual provisions with the Data Controller to the Sub-Processor;
  • Data Processors must assist the Data Controller if someone wants access to the personal data the Data Processor holds on behalf of the Data Controller(“Data Subject Access Rights”)

While already committed to the protection of personal data for years, faced with the effective date of the GDPR in May of 2018, Blackboard needed a solution that would not only allow for its own compliance, but one that that would also ease the regulatory burden of its customers under these and other applicable GDPR provisions. Using WireWheel and its native AWS deployment, Blackboard has been able to manage both its own compliance and to demonstrate its compliance to its customers, assisting them, in turn, with key tools to show their own compliance. The combination of Blackboard, WireWheel, and AWS has simplified a heavy regulatory burden and has turned it into a market differentiator.

2. Where Blackboard Started: Automated Data Mapping

As the leading global education technology platform, Blackboard manages the personal data of millions of students and employees around the world. Leading educational institutions and businesses use Blackboard to help their students and employees manage course selection, grades, and much more. Blackboard gives those constituents access to education technology that the institutions could not possibly manage or develop on their own.

When a customer of Blackboard adopts the Blackboard platform, under the GDPR, the customer is considered the “Data Controller,” or the party that decides “why” and “how” personal data should be processed. Blackboard is considered the “Data Processor,” the party that manages or “processes” the data, and is only allowed to use that data at the direction of its customers. Complicating matters, Blackboard is also a “Data Controller” for the information it collects of its employees and Blackboard may also use “Sub-Processors” (subcontractors) to help it with the work that it does for its customers.

Prior to the implementation of the GDPR, EU law imposed very few obligations directly on the Data Processor. But under the new law, which went into effect in May of this year, Data Processors and their relationship to the Data Controllers that hire them, have become much more regulated. For example:

  • The Data Controller can only use Data Processors that can meet the requirements of the GDPR, typically evidenced by the Data Processor providing a Record of Processing to the Data Controller;
  • The relationship between the Data Controller and the Data Processor must be governed by a contract;
  • If the Data Processor engages a Sub-Processor, it must seek consent from the Data Controller and trickle down its contractual provisions with the Data Controller to the Sub-Processor;
  • Data Processors must assist the Data Controller if someone wants access to the personal data the Data Processor holds on behalf of the Data Controller(“Data Subject Access Rights”)

While already committed to the protection of personal data for years, faced with the effective date of the GDPR in May of 2018, Blackboard needed a solution that would not only allow for its own compliance, but one that that would also ease the regulatory burden of its customers under these and other applicable GDPR provisions. Using WireWheel and its native AWS deployment, Blackboard has been able to manage both its own compliance and to demonstrate its compliance to its customers, assisting them, in turn, with key tools to show their own compliance. The combination of Blackboard, WireWheel, and AWS has simplified a heavy regulatory burden and has turned it into a market differentiator.

3. Next Step: Labeling, Grouping, and Classifying Personal Information

Once Blackboard mapped its data, the next step was to identify the Personal Data housed in the AWS cloud. Using WireWheel’s Labeling, Grouping and Classifying module, Blackboard is able to help its customers manage more than just simple identifiers such as name and address; rather, it allows Blackboard’s customers the ability to pull database schemas on AWS to see how data is matched and correlated. This allows for full visibility into data that is truly “personal,” meeting the requirements of GDPR and the spirit of ever-changing global privacy regulations.

In addition, Labeling, Grouping and Classifying can help Blackboard glean important insights that can be utilized for its obligation to assist its customers with Data Subject Access Requests, providing quick identification of Personal Data within its systems. Using WireWheel’s proprietary process, Blackboard can then verify and provide that information directly to Data Controllers and data subjects within the regulated timeframe.

4.  Continuous Third Party Management

Just as Blackboard’s customers have to ensure Blackboard’s GDPR compliance, so too, must Blackboard perform due diligence on its own third party Processors (where it is the Data Controller) and Sub-Processors (where it is the Data Processor). To accomplish this, Blackboard uses the powerful WireWheel Tasking Engine to manage all of its third party processors. Blackboard can utilize the WireWheel Third Party Due Diligence template (one of many pre-populated privacy templates), which is quickly becoming the standard for third party due diligence, in order to reach beyond its own processes to understand how its third parties manage and protect Blackboard’s customer and employee data.

WireWheel’s third party management page then allows Blackboard easy access to update and manage its third parties over time. Moreover, as further described below, Blackboard can use its Privacy Engine, powered by WireWheel as an easy and accessible platform for its customers to manage and approve any Sub-Processors, fulfilling a key requirement under GDPR.

5. And Finally: Ongoing Compliance: Blackboard’s Privacy Engine powered by WireWheel

Once Blackboard has completed its mapping, labeling, and third party due diligence in the WireWheel Platform, Blackboard can provide all of its compliance documentation to its customers using its Privacy Engine powered by WireWheel. This seamless output gives Blackboard a central location for all of its compliance documentation: its Record of Processing, individual maps, data classification and Sub-Processor approvals. Using WireWheel, Blackboard can also customize this output on a customer-by-customer basis, showing customers how Blackboard is protecting the privacy of the data it manages in an automatically updated, easily accessible format.

6. The Solution: Blackboard + WireWheel + AWS: Compliance, Better Protected Data, and
Business Differentiator

Blackboard’s challenges are typical of companies of its size: distributed information relevant to the privacy programs, many third-party vendors, and multitudes of potentially-personal data. Indeed, student data is some of the most sensitive data that can be collected, and universities are now collecting, observing and logging more data from their students as a way to enhance how learning is delivered. Blackboard’s goal has been to enable innovation at schools, while also providing advanced tools and insights so that schools can do more to protect personal data.

By centralizing its data stores on AWS and driving its privacy program in WireWheel to embrace privacy protection as a feature of the platform, Blackboard has the chance to embrace a significant market advantage. As Blackboard can clearly demonstrate its commitment to privacy and also show its customers how to do more to protect the privacy of student data, Blackboard’s sales cycle is significantly expedited. The end result being both faster sales and making student data safer within the entire customer ecosystem.

Blackboard’s customer-first approach has been critical to its overall business success. By leveraging its cross-functional team, AWS, and WireWheel, Blackboard is moving the needle forward as a case study in how a path to compliance can be both better for the overall protection of student data and better for business.

“Blackboard is the leading education technology platform worldwide with over 100 million users, most of them minors. We chose to work with WireWheel because Justin Antonipillai, having led GDPR negotiations on behalf of the US Government, knows more about GDPR and data privacy than anyone else in the United States, and we saw that the WireWheel platform meets our exceptionally high data privacy standards.”