GDPR for Training Companies: How Our Software Can Help You Towards Compliance
We’ve made some system changes. Here you’ll discover how our training management system has been updated in response to the EU’s General Data Protection Regulations.
Whether you’re a processor or controller, you are liable for any third-party supplier you use. As such, if you automate any aspect of your business, your software supplier must adhere to the GDPR principles.
As an ISO 27001-certified company, we’re acutely aware of how important information security is. And because we’re committed to the on-going success of our customers, the following developments are designed to ensure continued compliance with the new data protection rules.
How can our training management system help you towards GDPR compliance?
Lawful Data Processing
The GDPR demands that all companies have a legal basis for processing personal data.
As a training company, you may think this is a straightforward requirement: You need the personal data of delegates in order to process their course bookings and deliver training. However, delegates also need to be made aware of how you will process their data. Also know as their right to be informed.
When marketing to individuals, businesses will be required by law to gain explicit consent from those data subjects – in other words, your delegates must opt-in.
We’ll help you lawfully gain this with the following system enhancements:
- Allow new delegates to opt-in to marketing communications rather than opting out
- Manually opt-out your contacts from marketing communications. For example, if a delegate calls you to unsubscribe from communications
- Use opt-in and opt-out fields when performing data imports to ensure past preferences are always considered
- Delegates have the option to change their marketing opt-in preferences at any time within their Learner Portal
- Define which eCampaigns are considered marketing so you have explicit control over your communications
Reporting Data Breaches
The new regulations require you to report all data breaches within 72 hours of discovery. In the UK, you must notify the Information Commissioner’s Office.
Data breaches include ‘unauthorised or unlawful processing… accidental loss, destruction or damage.’
Failure to notify the relevant authorities of any data breach can result in fines of up to €10 million or 2% of global turnover; however, it’s worth remembering that once the GDPR is in force, you can risk fines of up to €20 million (or 4% of global turnover).
A key requirement of reporting any data breach is delivering evidence of incident investigation which can include audit logs. This allows the authorities – and your company – to see who was liable, how it occurred and when the breach happened. This is useful for limiting future data breaches and showing the ICO that your processes were designed to prevent breaches in the first place.
The following system enhancements assist you in this:
- Increased scope of audit logs
Maintaining Data Security
Data security lies at the heart of the GDPR.
To ensure that your system remains secure, we’ve updated the password policy and procedures to prevent unauthorised access. Note: This won’t affect the way you and your delegates log in to the system.
The following updates strengthen your data security further:
- New passwords will no longer be generated within the system; passwords must be reset via the emailed link
- Stronger encryption for all stored passwords has been applied
Want a tour of our GDPR compliant features? Book a demo here.
Other Ways Our System Helps You
In addition to these exciting new developments, the accessplanit training success platform already features several functionalities that can be used to keep you GDPR compliant. These include…
Subject Access Requests
Your delegates will have the right to request all the data your training companies holds on them and the right to transfer their data from one business to another. These need to be delivered within one month of receiving the request and delivered in a commonly used format.
Using our Reporting Engine, you can easily pull all information held on an individual and export that data in formats including Excel, Word and PDF.
It’s important that you securely retain any data on an individual – even inactive delegates. Within the system, you can set up filters and reports that monitor inactivity over a set amount of time.
When the retention period is up, filters help you to define the relevant data to remove.
The Right to Rectification
Another core right of your delegates is the right to rectification. If you hold inaccurate data, individuals can request those details are updated and accurate.
We’ve made this step even easier – delegates can update their own details, including marketing preferences, via the Learner Portal.
Test and Sandbox Sites
You may currently be using an accessplanit Test site or Sandbox site. These sites bypass email rules when resetting your password, to ensure increased security.
Data Breach Reporting
In addition to the new developments for audit logs, the system has always offered audit log tracking. This means you can see, at a glance, which users have accessed the system and when, as well as seeing which parts of the system they went to. This information is vital should you need to report a data breach to the ICO.
Want to know how the GDPR changes your training operations?
We've held a GDPR for Training Companies webinar which will provide the information you need. If you’d like to know more about how the new regulations will affect your training company, sign up today. If you'd prefer a one-to-one session, book a demo here.
You may also like...
- GDPR: Risks, Rights and Responsibilities to Delegates [FREE guide]
- How Automation Can Help Your Training Business Comply With the GDPR
- GDPR for Training Companies: Processors, Controllers and Liabilities