The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU) and GDPR also addresses the export of personal data outside of the EU. The GDPR became effective May 25, 2018.
We have had recent inquiries on the impact of EU's GDPR privacy laws on the documentation requirements of the Statement on Standards for Continuing Professional Education (CPE) Programs (Standards). Sponsors may need to take necessary steps in order to comply with applicable laws including GDPR, as well as the documentation requirements of the Standards that are reviewed as part of the NASBA desk audit.
Please keep in mind that the Standards require all sponsors to provide certain documentation to us from time to time in order to evaluate your eligibility for continued accreditation under the Standards. The documentation requirements include, among other things, providing NASBA and potentially state boards of accountancy copies of registration and attendance records, including attendee lists and sign-in sheets, and developer, instructor and reviewer biographies that may contain personal information of others.
The following information has been added to the Sponsor Agreement to be acknowledged by the sponsor in the initial and/or additional delivery method applications as well as every annual renewal application submitted to the National Registry:
If your organization is subject to laws governing the collection, use and/or disclosure of personal information (e.g., GDPR), you acknowledge and agree that you are solely responsible for your compliance with all applicable requirements under such laws, including those affecting your ability to share personal information with NASBA, and you shall take all such actions as may be necessary to permit sharing and disclosing personal information contained in accreditation records requested by NASBA. Such actions may include, depending on laws applicable to your organization, notifying attendees, instructors, reviewers and others about whom you collect personal information that you may share their information with third parties for purposes including evaluating your accreditation under certain continuing professional education standards. Failure to take such actions necessary to comply with applicable laws shall not excuse your responsibility to comply with NASBA documentation requests.
Example Notification Language to Registrants and Attendees
The following is an example of language to consider to registrants and attendees of your CPE program offerings:
We may be required to share your personal information from time to time with other organizations in order to meet certain legal and regulatory obligations, requirements and certifications that enable us to provide certain Services to you. For example, we may need to include your registration or attendance information in records we are required to supply to certification or standard-setting bodies in order to maintain our accreditation to offer and deliver educational opportunities.
[If not already covered elsewhere][When we talk about "personal data" or "personal information" we mean information that (either in isolation or in combination with other information held by us) enables you to be identified as an individual (either directly or indirectly). Personal information may include your name, date of birth, postal address, e-mail address, computer IP address, phone number, payment card details number, user-generated content or login information, and technical information from the devices you use to receive our Services.]
*Disclaimer* The above is merely an example of what may be included in a notice to registrants and attendees, but you are responsible for ensuring that it is accurate and meets any legal requirements. The way in which you elect to present such notice to your registrants, attendees and users is your decision and NASBA is in no way responsible for the validity of such decision, but some examples of how other sponsors choose to do so include the notice in their website privacy notice if signing up registrants via their website, reading the notice over the phone if signing up registrants via phone, and including it prominently on all sign-in sheets for attendees.