According to the GDPR: Institutions in the EU have the obligation to ensure that personal data are "limited to what is necessary".
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed.
Canvas does collect data from students that access Canvas at home. A teacher is f.e. able to see when the exact time that a student did access a course or an item in the course. How does this comply with the GDPR? Is it necessary that a teacher can see at what hour and at what minute a student did click on a link in Canvas? Will the GDPR allow this? Can this Canvas feature be turned off?