How Automation Can Help Your Training Business Comply With the GDPR
It's less than two months until the General Data Protection Regulation comes into force. On May 25th, 2018, businesses around the globe will be processing data in a whole new way - with the threat of increased fines for non-compliance.
The GDPR is designed to protect an individual's data and prevent breaches. As a business certified as ISO 27001-compliant, we're familiar with a lot of the incoming changes, since we adhere to a strict data processing framework that meets an international standard. However, there's more to the GDPR's wide-ranging changes than implementing stringent processes that minimise the risk of data breaches within a business.
These are regulations that don't just strengthen existing data protection laws; they completely revolutionise them. The GDPR is designed to protect EU citizens' data and harmonise data protection across the continent, which means businesses are now wholly responsible (and liable) for implementing secure data processes. It also means individuals now have much more control over the data companies hold on them - and that includes everything from their name and email to their IP address and DNA.
Once you start getting your head around precisely what's required of you and your team, you'll realise that this isn't something you can rush in the last two weeks before the deadline.
Implementing all the changes that the GDPR demands will take time. Automated technologies like our training management system will help tackle some of those demands on your time.
Introducing new rights for your delegates
The introduction of the GDPR introduces eight core rights for individuals (for training companies, these rights apply to both employees and delegates). These are...
- The right to be informedThe right of access
- The right of rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision-making and profiling
You can read more about how these rights will affect your training operations in our free guide, 'GDPR: Risks, Rights and Responsibilities to Course Delegates'.
So, let's say a delegate gets in touch with you to ask what data you hold on them. That's a reasonable request, as determined by the GDPR, and you'll have 30 days to comply. But how can you spare the time to handle those sorts of requests?
This is a prime example of where automation can relieve that sort of pressure.
Our Report Engine is ready-made to comply with GDPR's Right to Access. This right is designed to give individuals the right to access the data you hold on them.
Should you receive such a request, the Report Engine enables you to automatically pull all the data you hold on your delegates into a machine-readable format.
Such a feature also means that, under the Right to Rectification, you can correct inaccuracies to a delegate's profile just once, without having to duplicate the data across stacked systems. Delegates will also have the option to update their records from within their Learner Portal. No fuss, no bother.
You'll also be able to supply or remove details, as laid out under the Right to Data Portability and the Right to Erasure. And it beats rummaging through spreadsheets or groping around clunky systems attempting to gather all necessary data into a single file.
Another core right is the Right to Consent. This ensures that delegates clearly accept that you will hold and process their data. You know those check-boxes on online sign-up and registration forms that say 'I do not want to receive emails...'? Well, those won't cut it in the brave new world of the GDPR. And you absolutely cannot simply assume that individuals happy to get communications from you. You must gain explicit consent from them. Online, this will typically take the form of an opt-in checkbox.
Our automated course management system will take care of that ...
- Delegates can take full control over their marketing preferences, without you needing to manually intervene, by choosing to opt-in or out within their Online Learner Portal.
- Any delegate who chooses to opt-out of receiving your marketing emails will be added to a list; when you send ad-hoc emails tagged as marketing communications, the system will automatically exclude all those on the opt-out list.
Breaches, audits and accountability
A large part of the GDPR concerns security and data breaches. In its simplest form, this means that you must implement and track data processing procedures designed to minimise risk.
Here's how the accessplanit training success platform helps...
In the first instance, the best way to avoid data breaches is to already have strong security and processes in place. When it comes to security, our system already operates under intensely high standards, as laid out by the ISO. So, Test and Sandbox sites bypass email rules for password resets, adding an additional layer of security and preventing unauthorised access (which may lead to a data breach).
In the event of a data breach - defined as 'Unauthorised or unlawful processingâ... accidental loss, destruction or damage' - you'll need to tell the Information Commissioner's Office (ICO) why it happened, who's affected and what steps your training organisation has taken to prevent the breach from occurring again. That all needs to happen within 72 hours.
Our software provides the audit logs you'll need to provide to the ICO, tracking administrators' use through the system, enabling you to show the ICO precisely what actions occurred leading to the breach.
These automatically generated audit logs will be absolutely vital not just in showing the ICO why the breach happened, but also how you can avoid a breach in future.
Watch our free webinar, GDPR: A checklist for training companies to learn more about how to ensure your business is prepared for the deadline date.