6 Tips for trustworthy compliance assessments

Posted by Chloe Mendonca

If you’re responsible for the development or management of compliance tests you have a heavy responsibility on your shoulders. It’s up to you to ensure your tests are both valid and reliable. We’ve spoken about reliability and validity many times here on the Questionmark blog and these really are two of the keys to ensuring your assessment results can be trusted. If your tests don’t measure what they’re designed to or the content doesn’t reflect the required job knowledge, how can you make defensible decisions on the basis of the results?

This infographic shares 6 tips that you should consider implementing if you haven’t already that will help you to develop trustworthy compliance assessments.

 

Click here to get a hi-res copy of this infographic.

To learn more about developing trustworthy assessments, check out the 26-page Questionmark White Paper “Assessment Results You Can Trust”.

Can you be GDPR compliant without testing your employees?

Posted by John Kleeman

The GDPR is a new extra-territorial, data protection law which imposes obligations on anyone who processes personal data on European residents. It impacts companies with employees in Europe, awarding bodies and test publishers who test candidates in Europe, universities and colleges with students in Europe and many others. Many North American and other non-European organizations will need to comply.

See my earlier post How to use assessments for GDPR compliance for an introduction to GDPR. The question this blog post addresses is whether it’s practical for a large organization to be compliant with the GDPR without giving tests and assessments to their employees?

I’d argue that for most organizations with 100s or 1000s of employees, you will need to test your employees on your policies and procedures for data protection and the GDPR. Putting it simply, if you don’t and your people make mistakes, fines are likely to be higher.

Here are four things the GDPR law says (I’ve paraphrased the language and linked to the full text for those interested):


1. Organizations must take steps to ensure that everyone who works for them only processes personal data based on proper instructions. (Article 32.4)

2. Organizations must conduct awareness-raising and training of staff who process personal data (Article 39.1). This is extended to include “monitoring training” for some organizations in Article 47.2.

3. Organizations must put in place risk-based security measures to ensure confidentiality and integrity and must regularly test, assess and evaluate the effectiveness of these measures. (Article 32.1)

4. If you don’t follow the rules, you could be fined up to 20 million Euros or 4% of turnover. How well you’ve implemented the measures in article 32 (i.e. including those above) will impact how big these fines might be. (Article 83.2d)


So let’s join up the dots.

Firstly, a large company has to ensure that everyone who works for it only processes data based on proper instructions. Since the nature of personal data, processing and instructions each have particular meanings, this needs training to help people understand. You could just train and not test, but given that the concepts are not simple, it would seem sensible to test or otherwise check their understanding.

A company is required to train its employees under Article 39. But the requirement in Article 32 is for most companies stronger. For most large organizations the risk of employees making mistakes and the risk of insider threat to confidentiality and integrity is considerable. So you have to put in place training and other security measures to reduce this risk. Given that you have to regularly assess and evaluate the effectiveness of these measures, it seems hard to envisage an efficient way of doing this without testing your personnel. Delivering regular online tests or quizzes to your employees is the obvious way to check that training has been effective and your people know, understand and can apply your processes and procedures.

Lastly, imagine your company makes a mistake and one of your employees causes a breach of personal data or commits another infraction under the GDPR? How are you going to show that you took all the steps you could to minimize the risk? An obvious question is whether you did your best to train that employee in good practice and in your processes and procedures? If you didn’t train, it’s hard to argue that you took the proper steps to be compliant. But even if you trained, a regulator will ask you how you are evaluating the effectiveness of your training. As a regulator in another context has stated:

“”where staff understanding has not been tested, it is hard for firms to judge how well the relevant training has been absorbed”

So yes, you can imagine a way in which a large company might manage to be compliant with the GDPR without testing employees. There are other ways of checking understanding, for example 1:1 interviews, but they are very time consuming and hard to roll out in time for May 2018. Or you may be lucky and have personnel who don’t make mistakes! But for most of us, testing our employees on knowledge of our processes and procedures under the GDPR will be wise.

Questionmark OnDemand is a trustable, easy to use and easy to deploy system for creating and delivering compliance tests and assessments to your personnel. For more information on using assessments to help ensure GDPR compliance visit this page of our website or register for our upcoming webinar on 29 June.

Top 5 benefits of permissions

Bart Hendrickx SmallPosted by Bart Hendrickx

We went over role-based access control and its advantages in some of my earlier blog posts:

As I mentioned previously, roles are made up of permissions. Today, I wanted to share 5 of the top benefits permissions have, in particular, Questionmark OnDemand permissions.

1. Keep your authoring content organized

You can use permissions to define where authors are allowed to create content, such as items (questions) and assessments. That enables you to set up a structure for topic folders and assessment folders, and make sure that authors won’t go outside the folders you gave them access to. That in turn helps you to keep your content organized, which benefits your assessment program’s efficiency.

2. Improve your authors’ user experience

Let’s say that all you want your authors to create are multiple choice questions. You can use a permission to that effect. As a consequence, authors will not be able to see other question types, which makes it less confusing to them. Think: I can only see what I can use. That improves their user experience.

3. Improve your reporters’ user experience

Similarly, for several reports, you can define which reports your reporters can run. By doing that, you guide your reporters to the appropriate reports and avoid confusing them with reports they should not be running.

4. Reduce error and fraud

By using permissions judiciously, you can separate duties in your organization. For example, there are permissions to create users, permissions to create assessments and permissions to schedule assessments. You can use those permissions to define that a user who can create other users cannot create assessments and vice versa. Likewise, the user who can schedule assessments cannot create users. That way, you ensure that each user is responsible for a specific part of the process. When the focus is defined, error is reduced. And if multiple users manage the process together, no-one has full power over everything, which makes fraud less likely.

5. Free up time

Finally, you can use permissions to delegate some of your role responsibilities to others. If you are the main admin user of your Questionmark OnDemand environment, you may want to give a colleague the permission to assign the reporter role to users, so that you do not have to do it repeatedly. However, you may not want to give your colleague the permission to edit the exact permissions that reporters have. By delegating the role assignment to your colleague, you remain in control over what a role can do and you get help with managing who can report. That frees up your time.

 

These are my top 5 reasons. If you can think of other benefits, contribute to this list by leaving a comment below, we’d love to see what benefits you’re experiencing.

Questionmark’s assessment management system now offered in the G-Cloud digital marketplace

Posted by Chloe Mendonca

We’re excited to announce that Questionmark has been accepted as a G-Cloud 9 supplier of assessment solutions by the Crown Commercial Service (CCS). These solutions can be found on the UK government’s Digital Marketplace.

What is G-Cloud?

The UK government G-Cloud streamlines the process by which public-sector bodies procure cloud-based applications. You can think of G-Cloud like a mobile app store that contains a huge range of approved, ready-to-use services and applications.

What does this mean for public-sector organisations?
If you are a UK public-sector organisation, G-Cloud makes it easier to buy Questionmark’s assessment management system by dramatically reducing the time you spend procuring services — quickly connecting you with a supplier that fits your strict requirements and budget. US public-sector organisations can procure Questionmark via a similar service, the US General Services Administration (GSA) federal supply list. Organisations outside the US and UK can take comfort in the fact that Questionmark’s platform has been vetted and approved for listing on these government service provider sites.

Questionmark has excelled for many years in delivering assessment solutions to the public sector. Being available on G-Cloud enables Questionmark to expand our offering to even more government organisations that need to create, deliver and report on tests, exams, quizzes and surveys.

Why Questionmark?
In today’s highly-regulated world, the need to effectively assess knowledge and understanding of regulations or corporate policies is critical. Organisations are now required to do more than the traditional checkbox compliance approach and must ensure that all employees or target groups understand the rules and can follow them. Failure to do so can impact life, limb and livelihood, often resulting in fines and damaged business reputations. Only by using secure assessment management technologies that seamlessly integrate with your other enterprise systems and learning management tools can organisations efficiently and effectively set up, deploy and monitor compliance.

If you’re in a public-sector organisation looking for an intuitive, scalable SaaS solution that will help you ensure regulatory compliance and measure learning, request a demo of Questionmark’s assessment management system today.