The GDPR comes into force on 25th May 2018 – so you’ll need to ensure your L&D department or training organisation is fully compliant on that date.
So, what is the GDPR?
The GDPR is an EU directive. That means, come deadline day, the GDPR will automatically become law across all 28 countries in Europe. And even after Brexit, your British delegates’ data will still be protected by a UK version of the law.
The directive is designed to provide greater protection for individuals like your delegates, and offer greater control over how companies collect, store and use their data. It also helps harmonise data protection laws the across the European Union.
What changes are coming?
The General Data Protection Regulations present wholesale change to the way businesses are allowed to collect, store and process personal or sensitive data.
Every customer-focused company will be affected by the GDPR, since customer data is critical to delivering services or marketing products. All those email addresses, all those phone numbers… It’s likely that your training company has already gathered masses amounts of data already.
But now, you’ll need to provide information to your delegates on…
- Why you’re collecting their data
- How you intend to use that data
- And your lawful basis for processing it
Even if you’re based outside of Europe, if you process the data of EU citizens or British subjects, then your training business will be affected by the GDPR. And if you don’t follow the letter of the law, you could be facing massively increased fines of up to £20 million or 4% of global turnover, whichever is greater.
There are also increase responsibilities and liabilities for both ‘controllers’ – typically the company who determines the need for data – and ‘processors’; employees who process the data. Prior to the GDPR, it was the data controller who was held liable for improper data processing.
So, in the event of a data breach, described by the Information Commissioner’s Office as ‘unauthorised or unlawful processing… accidental loss, destruction or damage…
Controllers must demonstrate their compliance with the GDPR through processes, audits, and internal records
Processors must maintain secure personal data records, and are responsible for any data breaches on their watch
…It’s also worth pointing out that, should your business use third-party data processors, then it’s absolutely your responsibility to ensure that they understand and maintain compliance with the GDPR.
If your training department is unfortunate enough to be hit by a data breach, you will be required by law to inform the relevant authority (in the UK, that’s the ICO) within 72 hours.
Another major change is likely to impact your sales and marketing department. That’s because the GDPR, in part, seeks to give control back to delegates. This means we’ll all be shifting to obtaining what’s known as ‘explicit consent’ or ‘opt-in’.
In other words, your delegates need to say ‘yes, I want to receive your emails and calls.’ You can’t just assume that, by not saying anything, they’re silently agreeing to receive your marketing output as you’ll be in breach of the law (don’t worry, though, we’ll go into detail about this in the guide).
How does the GDPR affect my delegates?
As we’ve noted, the GDPR seeks to redress the balance in favour of the individual over a company. A core part of that is introducing eight new rights for your delegates. Some of these were previously covered by the Data Protection Act and have since been strengthened; some of these are completely new and designed to be fit for the internet age.
These rights are…
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
Our guide will look at precisely what these rights are, in relation to training companies, and how you can start introducing them to your delegates now, before the GDPR deadline hits.
Data security is king
It’s vital, in this age of hacking and cyber-crime, to make sure you safeguard the data of delegates and employees – or, in other words, all processes and technology you use or implement must adhere to the concept of ‘privacy by design’. If privacy isn’t a cornerstone of your company, then, once again, you could find yourself breaching the GDPR.
Information security and data protection is in our blood. accessplanit are immensely proud to be an ISO 27001-certified company, so we’re already incredibly experienced in ensuring that our training management software and operations follow the rigorous international framework laid out by the International Organisation for Standardisation. And that means we’re well-placed to bring GDPR compliance to the system, as a third-party data processor to training companies and L&D departments.
The GDPR Guide for Training Professionals
The EU’s General Data Protection Regulations sees a massive shake-up to data protection laws on a global scale. Is your business ready for the change?
In the accessplanit guide to the GDPR for training professionals, you’ll discover…
- Who the GDPR will affect
- What new responsibilities and liabilities your business and employees will face
- How best to prepare and implement GDPR-compliant processes and practices
- What operational changes you will have to make
- Common myths and misconceptions surrounding the law