The Nineteen Responsibilities of an Assessment Data Controller under the GDPR

John KleemanPosted by John Kleeman

Back in 2014,  Questionmark produced a white paper covering what at the time was a fairly specialist subject – what assessment organizations needed to do to ensure compliance with European data protection law. With the GDPR in place in 2018, with its extra-territorial reach and potential of large fines, the issue of data protection law compliance is one that all assessment users need to consider seriously.

Data Controller with two Data Processors, one of which has a Sub-Processor

Myself, Questionmark Associate Legal Counsel Jamie Armstrong and Questionmark CEO Eric Shepherd have now rewritten the white paper to cover the GDPR and published it this week. The white paper is called  “Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities”. I’m pleased to give you a summary in this blog article.

To remind you, a Data Controller is the organization responsible for making decisions about personal data, whereas a Data Processor is an organization who processes data on behalf of the Data Controller. As shown in the diagram, a Data Processor may have Sub-Processors. In the assessment context, examples of Data Controllers might be:

  • A company that tests its personnel for training or regulatory compliance purposes;
  • A university or college that tests its students;
  • An awarding body that gives certification exams.

Data Processors are typically companies like Questionmark that provide services to assessment sponsors. Data Processors have significant obligations under the GDPR, but the Data Controller has to take the lead.  The Nineteen Responsibilities of an Assessment Data Controller under the GDPR 1. Ensure you have a legitimate reason for processing personal data 2. Be transparent and provide full information to test-takers 3. Ensure that personal data held is accurate 4. Review and deal properly with any rectification requests 5. Respond to subject access requests 6. Respond to data portability requests 7. Delete personal data when it is no longer needed 8. Review and deal properly with any erasure requests 9. Put in place strong security measures 10. Use expert processors and contract with them wisely 11. Adopt privacy by design measures 12. Notify personal data breaches promptly 13. Consider whether you need to carry out a Data Protection Impact Assessment 14. Follow the rules if moving data out of Europe 15. If collecting “special” data, follow the particular rules carefully 16. Include meaningful human input as well as assessment results in making decisions 17. Respond to restriction and objection requests 18. Train your personnel effectively 19. Meet organisational requirementsBack in 2014, we considered there were typically 12 responsibilities for an assessment Data Controller. Our new white paper suggests there are now 19. The GDPR significantly expands the responsibilities Data Controllers have as well as makes it clearer what needs to be done and the likely penalties if it is not done.

The 25 page white paper:

  • Gives a summary of European data protection law
  • Describes what we consider to be the 19 responsibilities of a Data Controller (see diagram)
  • Gives Data Controllers a checklist of the key measures they need from a Data Processor to be able to meet these responsibilities
  • Shares how Questionmark helps meet the responsibilities
  • Comments on how the GDPR by pushing for accuracy of personal data might encourage more use of valid, reliable and trustworthy assessments and benefit us all

The white paper is useful reading for anyone who delivers tests and exams to people in Europe – whether using Questionmark technology or not. Although we hope it will be helpful, like all our blog articles and white papers, this article and the white paper are not a substitute for legal advice specific to your organization’s circumstances. You can see and download all our white papers at www.questionmark.com/learningresources and you can directly download this white paper here.

Judgement is at the Heart of nearly every Business Scandal: How can we Assess it?

Posted by John Kleeman
How does an organization protect itself from serious mistakes and resultant corporate fines?

An excellent Ernst & Young report on risk reduction explains that an organization needs rules and that they are immensely important in defining the parameters in which teams and individuals operate. But the report suggests that rules alone are not enough, it’s how they are adopted by people when making decisions that matter. Culture is a key part of such decision making. And that ultimately when things go wrong “judgement is at the heart of nearly every business scandal that ever occurred”.

Clearly judgement is important for almost every job role and not just to prevent scandals but to improve results. But how do you measure it? Is it possible to test individuals to identify how they would react in dilemmas and what judgement that would apply? And is it possible to survey an organization to discover what people think their peers would do in difficult situations?  One answer to these questions is that you can use Situational Judgement Assessments (SJAs) to measure judgement, both for individuals and across an organization.

Questionmark has published a white paper on Situational Judgement Assessments, written by myself and Eugene Burke. The white paper describes how to assess judgement where you:

  1. Identify job roles and competencies or aspects of that role in your organization or workforce where judgement is important.
  2. Identify dilemmas which are relevant to your organization and each of which requires a choice to be made and where that choice is linked to the relevant job role.
  3. Build questions based on the dilemmas which asks someone to select from the choices –   SJA (Situational Judgement Assessment) questions.

There are two ways of presenting such questions, either to survey someone or to assess individuals on their judgement.

  • You can present the dilemma and survey your workforce on how they think others would do in such a situation. For example “Rate how you think people in the organization are likely to behave in a situation like this. Use the following scale to rate each of the options below: 1 = Very Unlikely 2 = Unlikely 3 = Neutral 4 = Likely 5 = Very Likely”.
  • You can present the dilemma and test individuals on what they personally would do in such a situation, for example as shown in the screenshot below.

You work in the back office in the team approving new customers, ensuring that the organization’s procedures have been followed (such as credit rating and know your customer). Your manager is away on holiday this week. A senior manager in the company (three levels above you) comes into your office and says that there is an important new customer who needs to be approved today. They want to place a big order, and he can vouch that the customer is good. You review the customer details, and one piece of information required by your procedures is not present. You tell the senior manager and he says not to worry, he is vouching for the customer. You know this senior manager by reputation and have heard that he got a colleague fired a few months ago when she didn’t do what he asked. You would: A. Take the senior manager’s word and approve the customer B. Call your manager’s cellphone and interrupt her holiday to get advice C. Tell the manager you cannot approve the customer without the information needed D. Ask the manager for signed written instructions to override standard procedures to allow you to approve the customer

You can see this question “live” with other examples of SJA questions in one of our example assessments on the Questionmark website at www.questionmark.com/go/example-sja.

Once you deliver such questions, you can easily report on the results segmented by attributes of participants (such as business function, location and seniority as well as demographics such as age, gender and tenure). Such reports can help indicate whether compliance will be acted out in the workplace, evaluate where compliance professionals need to focus their efforts and measure whether compliance programs are gaining traction.

SJAs can be extremely useful as a tool in a compliance programme to reduce regulatory risk. If you’re interesting in learning more about SJAs, read Questionmark’s white paper “Assessing for Situational Judgment”, available free (with registration) at https://www.questionmark.com/sja-whitepaper.

New White Paper Examines how to Assess for Situational Judgment

Posted by John Kleeman

Is exercising judgment a critical factor in the competence of the employees and contractors who service your organization? If the answer to this is yes, as it most likely is, you may be interested in Questionmark’s white paper, just published this week on “Assessing for Situational Judgment”.

It’s not just CEOs who need to exercise judgment and make decisions, almost every job requires an element of judgment. Situational Judgment Assessments (SJAs) present a dilemma to the participant and ask them to choose options in response.


Context is defined -> There is a dilemma that needs judgment -> The participant chooses from options -> A score or evaluation is made

Here is an example: 

You work as part of a technical support team that produces work internally for an organization. You have noticed that often work is not performed correctly or a step has been omitted from a procedure. You are aware that some individuals are more at fault than others as they do not make the effort to produce high quality results and they work in a disorganized way. What do you see as the most effective and the least effective responses to this situation?
A.  Explain to your team why these procedures are important and what the consequences are of not performing these correctly.
B.  Try to arrange for your team to observe another team in the organisation who produce high quality work.
C.  Check your own work and that of everyone else in the team to make sure any errors are found.
D.  Suggest that the team tries many different ways to approach their work to see if they can find a method where fewer mistakes are made.

In this example, option C deals with errors but is time consuming and doesn’t address the behavior of team members. Option B is also reasonable but doesn’t deal with the issue immediately and may not address the team’s disorganized approach. Option D is asking a disorganized team to engage in a set of experiments that could increase rather than reduce errors in the work produced. This is likely to be the least effective of the options presented. Option A does require some confidence in dealing with potential pushback from the other team members, but is most likely to have a positive effect.

You can see some more SJA examples at http://www.questionmark.com/go/example-sja.

SJA items assess judgment and variations can be used in pre-hire, post-hire training, for compliance and for certification. SJAs offer assessment programs the opportunity to move beyond assessments of what people know (knowledge of what) to assessments of how that knowledge will be applied in the workplace (knowledge of how).

Questionmark’s white paper is written as a collaboration by Eugene Burke, well known advisor on talent, assessment and analytics and myself. The white paper is aimed at:

  • Psychometricians, testing professionals, work psychologists and consultants who currently create SJAs for workplace use (pre-hire or post-hire) and want to consider using Questionmark technology for such use
  • Trainers, recruiters and compliance managers in corporations and government looking to use SJAs to evaluate personnel
  • High-tech or similar certification organizations looking to add SJAs to increase the performance realism and validity of their exam

The 40 page white paper includes sections on:

  • Why consider assessing for situational judgment
  • What is an SJA?
  • Pre-hire and helping employers and job applicants make better decisions
  • Post-hire and using SJAs in workforce training and development
  • SJAs in certification programs
  • SJAs in support of compliance programs
  • Constructing SJAs
  • Pitfalls to avoid
  • Leveraging technology to maximize the value of SJAs

Situational Judgment Assessments are an effective means of measuring judgment and the white paper provides a rationale and blueprint to make it happen. The white paper is available free (with registration) from https://www.questionmark.com/sja-whitepaper.

I will also be presenting a session about SJAs in March at the Questionmark Conference 2018 in Savannah, Georgia – visit the conference website for more details.

Why Digital Badges are Win-Win-Win

Posted by John Kleeman

Digital badges are a validated, electronic measure of achievement that are starting to be very widely used in the workplace, in education and in certification. This article explains some of the reasons why they are genuinely a win for all involved.

Picture of a badge with the Questionmark logo on it saying "Data Security Proficient"

A little while ago, achievements were recognized with a paper certificate, which you could frame and put on your office wall. But with digital printing, paper certificates have become easy to forge, and with the Internet, a lot of offices are virtual. So nowadays recognition of achievement is often with a digital certificate or badge. Digital badges use a picture (like the one on the right) to summarize what the badge is and are backed up with detailed information that can be verified online. Many people put badges on their LinkedIn or other social media accounts.

Digital badges can be used for many purposes including:

  • Giving a certificate on passing a test or exam
  • Showing completion of a course
  • Recognize other accomplishments, major and minor
  • Help signpost pathways to learning with each step a badge

With Questionmark Badging, you can award digital badges when someone passes an assessment.

A key human need is to achieve goals and for others to value our achievements, and digital badges provide a mechanism to help satisfy these needs.

Three circles showing Society, Organizations and IndividualsDigital badges can be win-win-win for society, organizations and individuals.

Society

As technology changes and the world becomes more global, skill shortages are a significant issue to the global economy. According to the OECD, “in most countries, large shares of employers complain that they cannot find workers with the skills that their businesses require”.

Digital badges help reduce skill shortages by encouraging and documenting the acquisition of important skills and by recognizing competencies at a distance. They allow a society to increase citizen contributions and help mobility of skills which drives economic value.

Organizations

The most tangible benefit for digital badges is to the organizations who issue them. Digital badges provide a great opportunity for companies, universities and colleges and certification providers.

  • In the workplace, employers can issue badges to provide recognition of e-learning or instructor led training and to show achievement of important competencies. Badges motivate employees to develop current skills which make a business difference to the employer, and they recognize employees for achievement. For many employees, being recognized for an achievement is as important as a pay rise or other more tangible benefit.
  • Universities and colleges can issue badges to students to show the module make-up in their courses, to encourage or showcase extra achievement or for short courses outside the usual curriculum.
  • Certification providers can give candidates a shareable badge, which encourages them to engage with the provider and promotes the certification brand. Digital badges also allow micro-credentials and delta credentials to deal with fast moving technology.

Individuals

Lastly, for individuals, digital badges help develop skills and careers. Digital badges let individuals showcase their achievements, grow self-esteem with a sense of accomplishment and obtain recognition for what they do as employee and/or as citizen.

 

Digital badges make sense for society, for organizations and for individuals. The improved competence and communication about competence they encourage improves society. Organizations gain skills and a new currency to reward their workforce. And badge earners gain recognition and a sense of achievement. It is important that badge issuers set up a good process to ensure their badges are credible and sustainable measures of achievement, but if this is done, badges are truly win-win-win.

If you are interested in learning more about digital badges, you can see information on Questionmark’s solution here.

Can you be GDPR compliant without testing your employees?

Posted by John Kleeman

The GDPR is a new extra-territorial, data protection law which imposes obligations on anyone who processes personal data on European residents. It impacts companies with employees in Europe, awarding bodies and test publishers who test candidates in Europe, universities and colleges with students in Europe and many others. Many North American and other non-European organizations will need to comply.

See my earlier post How to use assessments for GDPR compliance for an introduction to GDPR. The question this blog post addresses is whether it’s practical for a large organization to be compliant with the GDPR without giving tests and assessments to their employees?

I’d argue that for most organizations with 100s or 1000s of employees, you will need to test your employees on your policies and procedures for data protection and the GDPR. Putting it simply, if you don’t and your people make mistakes, fines are likely to be higher.

Here are four things the GDPR law says (I’ve paraphrased the language and linked to the full text for those interested):


1. Organizations must take steps to ensure that everyone who works for them only processes personal data based on proper instructions. (Article 32.4)

2. Organizations must conduct awareness-raising and training of staff who process personal data (Article 39.1). This is extended to include “monitoring training” for some organizations in Article 47.2.

3. Organizations must put in place risk-based security measures to ensure confidentiality and integrity and must regularly test, assess and evaluate the effectiveness of these measures. (Article 32.1)

4. If you don’t follow the rules, you could be fined up to 20 million Euros or 4% of turnover. How well you’ve implemented the measures in article 32 (i.e. including those above) will impact how big these fines might be. (Article 83.2d)


So let’s join up the dots.

Firstly, a large company has to ensure that everyone who works for it only processes data based on proper instructions. Since the nature of personal data, processing and instructions each have particular meanings, this needs training to help people understand. You could just train and not test, but given that the concepts are not simple, it would seem sensible to test or otherwise check their understanding.

A company is required to train its employees under Article 39. But the requirement in Article 32 is for most companies stronger. For most large organizations the risk of employees making mistakes and the risk of insider threat to confidentiality and integrity is considerable. So you have to put in place training and other security measures to reduce this risk. Given that you have to regularly assess and evaluate the effectiveness of these measures, it seems hard to envisage an efficient way of doing this without testing your personnel. Delivering regular online tests or quizzes to your employees is the obvious way to check that training has been effective and your people know, understand and can apply your processes and procedures.

Lastly, imagine your company makes a mistake and one of your employees causes a breach of personal data or commits another infraction under the GDPR? How are you going to show that you took all the steps you could to minimize the risk? An obvious question is whether you did your best to train that employee in good practice and in your processes and procedures? If you didn’t train, it’s hard to argue that you took the proper steps to be compliant. But even if you trained, a regulator will ask you how you are evaluating the effectiveness of your training. As a regulator in another context has stated:

“”where staff understanding has not been tested, it is hard for firms to judge how well the relevant training has been absorbed”

So yes, you can imagine a way in which a large company might manage to be compliant with the GDPR without testing employees. There are other ways of checking understanding, for example 1:1 interviews, but they are very time consuming and hard to roll out in time for May 2018. Or you may be lucky and have personnel who don’t make mistakes! But for most of us, testing our employees on knowledge of our processes and procedures under the GDPR will be wise.

Questionmark OnDemand is a trustable, easy to use and easy to deploy system for creating and delivering compliance tests and assessments to your personnel. For more information on using assessments to help ensure GDPR compliance visit this page of our website or register for our upcoming webinar on 29 June.

Reminiscing about Santa Fe: Presentations, pictures & the weird and wonderful art house

Posted by Chloe Mendonca

After eagerly looking forward to Questionmark’s most important annual learning event for months, it was over before we even knew it! The Questionmark Conference gave all of us three special days to meet so many of our globally dispersed customers and employees face to face, learn best practices, have fun with one another and discuss new ways to leverage Questionmark’s technologies.

This year I was fortunate enough to be there, and a big highlight was getting a deeper understanding of how others are using Questionmark’s technologies. From our evening networking events to our stimulating panel discussion — which brought together experts from the US State Department, Caterpillar Inc., Scantron and Compass Consultants to discuss best practices for making data work within learning and assessment programs — to more specific breakout sessions, our guest speakers did a wonderful job of sharing lessons learned and best-practice tips.

Todd Horner from Accenture, for example, hosted a great discussion, “Taking the Migraine out of Migration: Accenture’s journey to next-gen authoring.” He spoke about the shared “fear of the unknown” and how to get around change-management challenges. Lauri Buckley and Lindsey Clayton from Caterpillar Inc, delivered an impressive presentation, “A Process to Mastery: Assessments as career development tools,” during which they shared valuable tips about how to effectively design and develop various types of competence assessments, from proficiency tests to validation and observational assessments. You can get the handouts from these presentations and more right here.

For those who couldn’t be there in person, we webcast selected conference sessions — hitting record numbers online. If you joined us for the webcast, got a sense of the Questionmark Conference atmosphere and want to join us in person next year, keep your eyes peeled for our dates and location announcement coming to the blog in the next few months. See the recordings of our selected webcast sessions at: www.questionmark.com/go/2017uconwebcast (Please note you must be logged into the website with your Questionmark username and password).

I’d like to take this opportunity to say a big thank you to all of our wonderful speakers for taking the time to share their knowledge. Without them there would be no conference!

Now for the bit you’ve all been waiting for… conference pictures! To all those who went back to the office struggling to describe the weird and wonderful art house that is Meow Wolf’s House of Eternal Return, hopefully these snaps will make things a little easier 😊  View conference and evening event pictures here on our flickr page.

What did you enjoy most about Questionmark Conference 2017? Leave me a comment below and stay in touch!


Just in case you missed it…

John Kleeman, Questionmark’s Founder & Executive Director reported back 6 good practice tips heard in Santa Fe.