Navigating the GDPR "Right to be Forgotten" While Retaining Learner Records: A Guide for IACET Accredited Providers
Recently, an IACET accredited provider reached out with a thoughtful and increasingly relevant question: What should we do when GDPR’s “Right to be Forgotten” seems to conflict with the IACET Standard's requirement to maintain learner records for seven years?
This question addresses a vital intersection between the Global Data Privacy Regulation (GDPR) and accreditation responsibilities. It also reminds us that compliance isn't just about following a checklist; it's about balancing legal obligations, learner rights, and quality assurance.
Let’s unpack the issue and provide some clarity.
First Things First: Accreditation Is Not Legal Counsel
Before diving in, it’s important to state clearly: IACET is not a legal authority and cannot provide legal advice. What follows is informational guidance based on how providers have approached this challenge in practice. You should always consult with legal counsel, especially one well-versed in GDPR and educational record-keeping laws, before changing your policies or practices.
The IACET Standard and Record Retention
IACET’s Standard 8.5 requires accredited providers to:
“Have a process to maintain training records and make them available to learners for a minimum of seven (7) years.”
This expectation ensures that learners can retrieve documentation to support licensure, employment, or other requirements. However, it also contains an implicit but important caveat: as allowed by local law.
So, if your organization operates in the European Union (EU) or serves EU citizens, GDPR’s data protection rules come into play.
Understanding GDPR’s “Right to Be Forgotten”
Article 17 of the GDPR gives individuals the right to request erasure of their personal data. However, this right is not absolute. Under GDPR, data may be retained if necessary for:
- Compliance with a legal obligation
- Establishing, exercising, or defending against legal claims
This means if your organization has a lawful reason for keeping learner records, such as maintaining accreditation, fulfilling professional licensing requirements, or defending against legal claims, you may be exempt from erasure in certain cases.
The key is to document that rationale and make it transparent to learners.
What Global Providers Are Doing
Here are some practices that other international providers have used to reconcile GDPR compliance with IACET accreditation. Consider these ideas as starting points for discussion with your legal team:
- Be Transparent in Your Privacy Notices Inform learners, especially those in or from the EU, that training records will be retained for a minimum of seven (7) years due to accreditation and compliance requirements. Make it clear that this may affect their ability to have records deleted.
- Minimize What You Retain Only hold on to the data you truly need. In many cases, verifying CEU issuance requires only a few fields: name, course title, completion date, and CEUs awarded.
- Create a Protocol for Handling Erasure Requests Create an internal review process to evaluate each deletion request. Your legal counsel can help determine whether the request qualifies for an exemption under GDPR.
- Segment Your Data by Region If feasible, use geographic data to tailor your privacy notices and data workflows. This helps you stay nimble when juggling global data privacy obligations.
- Document Your Decisions When you retain learner data under GDPR’s exemptions, keep internal documentation explaining your legal or legitimate interest basis. This protects you if your decision is ever challenged.
Striking the Right Balance
Being a global training provider often means walking a tightrope between different sets of requirements. The good news? You don’t have to choose one or the other. With thoughtful policies, transparency, and the right legal advice, it’s possible to comply with GDPR while honoring the record-keeping standards that underpin the credibility of CEUs and your accredited status.
At IACET, we’re encouraged by providers who proactively ask these kinds of questions. It illustrates both a commitment to compliance and a deeper understanding of the responsibility that comes with issuing recognized, trusted credentials.
If you require further clarification on how the IACET Standard applies in these situations, reach out to us. We're here to support your success, both globally and locally.
About the Author
Randy is a seasoned executive leader currently serving as the President and CEO of IACET, a non-profit accrediting body in the continuing education and training sector. With a focus on strategic vision and operational excellence, he effectively leads the organization to achieve its mission and goals.
With over two decades of experience in various leadership roles, Randy has a proven track record of driving organizational success. His expertise lies in aligning technological solutions with strategic objectives, ensuring operational efficiency and sustainable growth.