GDPR for Training Companies: Processors, Controllers and Liabilities

GDPR PC-671034-edited

Do you know who in your training organisation is responsible for data protection? The General Data Protection Regulation (GDPR) was the biggest change to information security since the Data Protection Act, and in addition to increased rights for individuals, there’s also a change in terminology and increased liabilities for businesses who collect, store and process personal data. If you want a refresher on what the GDPR means to your training business, read this blog.

As an ISO 27001-certified company, committed to rigorous international framework that ensures true quality, we take data security seriously. We’re already developing new and improved features that ensure using our training management software helps accessplanit users to be GDPR-compliant.

We've recorded a webinar on how your training company can stay GDPR-compliant - sign up below... 

Until then, let's get ahead of the curve by navigating through some new terminology and the associated liabilities that staff at your training organisation should know. 

Who are ‘Individuals’?

Throughout GDPR literature, you’ll come across ‘individuals’. These will be your delegates – whether you’re offering external or in-house training. In fact, it’s anyone whose data you process with their express permission.

The GDPR is designed to make data protection laws fit for the always-connected 21st century (while harmonising those laws across all EU states). As part of that goal, your delegates now have eight core rights that ensure they have total control of the data you hold on them.

Common rights you’re likely to come across include…

  • The right to be informed – so no collecting any data whatsoever without telling delegates your lawful basis for doing so 
  • The right to be forgotten – this ensures that individuals can request you remove their data from your systems.
  • The right to access – this right allows your delegates to see the data you hold on them. Absolutely all of it.

You can see the full list of individual rights over at the Information Commissioner’s Office.

So long as the request is reasonable, you have one month to comply – although, depending on the circumstance, you may apply for a further two-month period.

Who are ‘Processors and Controllers’?

Although remaining similar to the Data Protection Act, the GDPR provides a finer distinction between processors and controllers, and these separate roles come with very different liabilities. According to the ICO

A data controller is ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.’

A data processor is ‘a person, public authority, agency or other body which processes personal data on behalf of the controller.’

In other words, a controller is you as a training business when processing delegate data whereas a third-party software system where you hold that data would be a processor.  In another scenario, you would be a controller of the employee data that you collect but the HR system where you store it would be the processor. 

Man googling on computer

What are the new liabilities for processors and controllers?

As of May 25th, depending on your role, your liabilities will change. Whether you’re a processor or controller, it’s worth keeping this in mind: You are liable.

Previously, the Data Protection Act placed almost all liabilities firmly at the door of the business owner, or controller, itself. This meant that, even if a rogue administrator was responsible for a data breach, it was the company that took the hit and dealt with the fallout.

The GDPR updates that scenario. So, for processors, you may find yourself responsible for…

  • Any data breach that occurs on your watch
  • Notifying the controller of any data breach
  • Maintaining a record of current processing activities
  • Ensuring security of personal data at all times – and taking measures to guarantee this, such as encrypting data
  • Providing the controller with information and records required to demonstrate GDPR compliance

Controllers, on the other hand, will be liable for…

  • Approving all third-party processors and ensuring they comply with the GDPR
  • Notifying the relevant authorities of a data breach within 72 hours of discovery
  • Maintaining an up-to-date record of all data processing procedures
  • Appointing a data protection officer if your business requires one
  • Implementing internal data protection policies and data protection impact assessments
  • Adhering to the principles of privacy by design, typically associated with new technology and processes brought into the business

What about third-party processors?

Your training company may also use third-party data processors. These typically include training management software like ours, or external cloud storage services.

Whether you’re a controller or processor, it is your responsibility to ensure that any third-party processor understands and complies with the GDPR. The best way to do this is to discuss the GDPR requirements with your third-party processors and ensure that responsibilities are formally agreed as part of a contract.

First, discover their intentions for maintaining GDPR compliance. How aware are they of the impact, and how will they operate differently once the May 25th deadline hits? This is important as, if you use a non-compliant third-party, it’s you who will be liable for any breaches.

Next, find out what security certifications they have – if any. For instance, accessplanit is ISO 27001-accredited, which means we already adhere to a rigorous international framework for information security. A high-quality third-party processor will already be making operational changes based on the new data protection laws.

You’ll also want to explain what your business is doing to remain compliant, and how that will impact any third-party or off-site data processing (and vice-versa). In this way, you can be sure that both your organisation and your third-party suppliers are working together towards the same data security goals.

Training software provider discusses course management system

Are you GDPR-ready?

There’s plenty to get your head around before the GDPR becomes law.  Watch our GDPR for training companies webinar to maintain compliance and protect your delegates' data.

You can find out more about how the GDPR affects your learning department or training company with these helpful links below.


Free GDPR Resources