Is your training business ready for the incoming General Data Protection Regulation (GDPR)?
It’s the dramatic and far-reaching regulation that offers individuals stronger protection and control over their personal data. But the broad and all-encompassing nature of the regulations – and what GDPR means for training companies – means they’re shrouded in myths and misconceptions.
It’s just a Data Protection Act for Facebook. It’s the Y2K bug v2. It won’t affect me… So, let’s navigate through what GDPR is, and what it isn’t, to find the truth.
‘There’s no rush – it’s not due until May 25th 2018’
If only this were true. But the GDPR introduces masses of changes – from strengthening the rights of individuals to increasing fines for non-compliance. And, as if that’s not enough, you’ll also need to train staff, maintain internal records, and take all reasonable steps required to ensure the data you hold is consensual, accurate and properly processed.
That’s not something to be left until the last minute. One of the best ways to get ahead of the game is to automate key processes – for example, using a system that provides audit logs you’re legally obliged to provide in the event of a data breach – which allows you and your team to dedicate more time focusing on the areas that most demand your attention.
And when there’s the potential for a £20 million fine for non-compliance, it’s absolutely worth investing time to understand what’s changing and what new processes and organisational changes you’ll need to implement to ensure full compliance.
‘It’s a lot of fuss about nothing’
Let’s be clear: GDPR is a big deal. Likely, the biggest deal in data protection.
Despite a similar amount of hype and panic, the GDPR won’t be the damp squib that the Millennium Bug was (remember that?). It affects every employee who processes data, including trainers, and it’s backed up by some hefty legal sanctions.
It’s a data security revolution that seriously toughens up existing data protection laws; designed to protect the data of both your delegates and your colleagues, and harmonise EU law. That’s not something to be taken lightly.
And speaking of the EU…
‘Brexit changes everything’
Brexit changes nothing. Until Great Britain leaves the EU, UK businesses will be subject to the regulations. And post-Brexit, the UK Government has already indicated that there will be an ‘unprecedented point of alignment’ between British and EU data protection rules.
In fact, the intent is to go even further, with ministers signalling that the UK’s data protection body, the Information Commissioner’s Office, should maintain an ‘on-going role’ and be ‘fully involved in future EU regulatory dialogue.’
Essentially, when it comes to data protection, we’ll be on the same page as the European Union regardless of Britain’s independent status.
‘I’m not a European training company, so I’m not affected’
It might make sense, since the GDPR is an EU initiative, but the regulation is designed to protect EU citizens anywhere in the world. After all, in the internet age, data is global.
So, whether you’re based in Seattle or Shanghai, you’ll need to ensure you’re GDPR-compliant when processing the data of delegates from the EU.
‘It’s ok, my data’s processed by a third-party’
For training companies, a third-party processor will likely be the one managing their cloud storage or their learning and training management system. Using a third-party processor doesn’t mean you’re not responsible for compliance failure – it simply means you’re both responsible.
Firstly, it’s your duty to inform your third-party processor of any alterations to an individual’s data profile (and that includes accuracy and erasing data under the ‘right to be forgotten’). You and your third-party will have one month to comply with any reasonable request.
Now, if there’s a data breach, your third-party processor will be liable for that breach. But your business is also likely to come under fire, since it’s the third-party’s responsibility to ensure data is correctly processed; it’s your responsibility to ensure whoever processes your data is GDPR-compliant.
‘But I collected the data before the GDPR was introduced’
It doesn’t matter when you gathered the data you hold, it’s still subject to the GDPR. That also means you may need to obtain ‘explicit consent’ again, just to be sure that all the details you hold on delegates is compliant.
You may have already noticed, when visiting certain websites, that new privacy notices are popping up. Perhaps you’ve had to indicate, once again, that you’re happy for those sites to process your data (as well as finding out how and why they process it). That’s ‘explicit consent’ in action – because you can no longer assume that silence equals agreement.
‘Data breach? We’ve never been hacked’
One of the biggest changes that the GDPR introduces is the requirement for companies to notify the relevant authority of any data breach within 72 hours (on pain of a €10 million fine). However, there’s a common misconception as to what, exactly constitutes a data breach. Most believe this occurs when a hacker gains access to your system and the information stored within. But the definition of a data breach is, like the GDPR itself, much broader.
The UK’s Information Commissioner’s Office explains that a data breach is:
‘Unauthorised or unlawful processing… accidental loss, destruction or damage.’
So, for instance, if a course administrator accidentally sends a marketing email to someone who has opted out of receiving communications, it might seem like a minor incident, but it’s still considered a data breach.
‘It doesn’t matter, I only process the data’
In a change to the current Data Protection Act, it’s not only data controllers who are liable for data breaches. Now, those liabilities have extended to include data processors too. Under the GDPR, data processors – i.e. someone who ‘processes personal data on behalf of the controller’ – are legally responsible for the security, accuracy and maintenance of a delegate’s data.
Meanwhile, data controllers, defined as ‘the natural or legal person, public authority, agency or other body’, will be ‘responsible for, and be able to demonstrate, compliance with the principles.’
In other words, much like using a third-party processor, the responsibility and liability is shared among all parties. After all, you’re guardian of your delegates’ data.
Our free, comprehensive guide explores the full impact of the GDPR on your training company – pick it up today.
About the author
Dave Evans is managing director of accessplanit, the training management software house.