Six predictions now the GDPR is in place

Posted by John Kleeman
So the European GDPR is in place now. Questionmark like most other companies has been working hard in the last two years to ensure we are compliant and that our customers in and outside Europe can be compliant with the GDPR. See our trust center or summary for information on Questionmark’s compliance.

Is it all done and dusted? My email inbox seems to have a few less promotional emails in it. But is this because of the holiday weekend or have companies really taken my name off their mailing lists? Here are six predictions for what we’ll see going forwards with the GDPR.

1. The May 25th 2018 date will matter much less going forwards than backwards

A picture of a dog with a Christmas hatCompanies have been rushing to meet the May 25th date, but GDPR and privacy is a destination not a journey. There is a famous slogan “a dog is for life not just for Christmas” encouraging people to look after their dog and not just buy it as a cute puppy. Similarly the GDPR is not just something you get compliant with and then ignore. You need to include privacy and compliance in your processes forever.

No one will care much whether you were compliant on May 25th 2018. But everyone will care whether you are meeting their privacy needs and following the law when they interact with you.

2. History will judge the GDPR as a watershed moment where privacy became more real

Nevertheless I do think that history will judge the GDPR as being a seminal moment for privacy. Back in the early 2000s, Microsoft popularized the concept of security by design and security by default when they delayed all their products for a year as they improved their security. Nowadays almost everyone builds security into their systems and makes it the default because you have to to survive.

Similarly the GDPR encourages us to think of privacy when we design products and to make privacy the default not an afterthought. For example, when we collect data, we should plan how long to keep it and how to erase it later. I suspect in ten years time, privacy by design will be as commonplace as security by design – and the GDPR will be the key reason it became popular.

3. Many other jurisdictions will adopt GDPR like laws

Although the GDPR is over-complex, it has some great concepts in it, that I’m sure other countries will adopt. It is appropriate that organizations have to take care about processing peoples’ data. It is appropriate that when you pass people’s data onto a third party, there should be safeguards. And if you breach that data, it is appropriate that you should have to be held accountable.

We can expect lawmakers in other countries to make GDPR-like laws.

4. Supply chain management will become more important

Diagram showing one data controller with two data processors. One data processor has two sub-processors and one data processor has one sub-processorUnder the GDPR, a Data Controller contracts with Data Processors and those Data Processors must disclose their Sub-processors (sub-contractors). There is positive encouragement to choose expert Data Processors and Sub-processors and there are consequences if processors fail their customers. This will encourage organizations to choose reputable suppliers and to review processors down the chain to make sure that everyone is following the rules. Choosing suppliers and Sub-processors that get themselves audited for security, e.g. under ISO 27001, is going to become more commonplace.

This will mean that some suppliers who do not have good enough processes in place for security, privacy and reliability will struggle to survive.

5. People will be the biggest cause of compliance failures

Organizations set up processes and procedures and put in place systems and technology to run their operations, but people are needed to design and run those processes and technology. Some GDPR compliance failures are going to be down to technology failures, but I predict the majority will be down to people. People will make mistakes or judgement errors and cause privacy and GDPR breaches.

If you are interested in this subject, Amanda Maguire of SAP and I gave a webinar last week entitled “GDPR is almost here – are your people ready?” which should shortly be available to view on the SAP website. The message we shared is that if you want to stay compliant with the GDPR, you need to check your people know what to do with personal data. Testing them regularly is a good way of checking their knowledge and understanding.

6. The GDPR and privacy concerns will encourage more accurate assessments

Last but not least, I think that the GDPR will encourage people to expect more accurate and trustworthy tests and exams. The GDPR requires that we pay attention to the accuracy of personal data; “every reasonable step must be taken to ensure that personal data that are inaccurate … are erased or rectified without delay”.

There is a strong argument this means that if someone creates a test or exam to measure competence, that the assessment should be accurate in what it claims to measure. So it needs to be authored using appropriate procedures to make it valid, reliable and trustworthy. If someone takes an assessment which is invalid or unfair, and fails it, they might reasonably argue that the results are not an accurate indication of their competence and so that personal data is inaccurate and needs correcting.

For some help on how you can make more accurate assessments, check out Questionmark white papers at www.questionmark.com/learningresources including “Assessment Results You Can Trust”.

 

 

Judgement is at the Heart of nearly every Business Scandal: How can we Assess it?

Posted by John Kleeman
How does an organization protect itself from serious mistakes and resultant corporate fines?

An excellent Ernst & Young report on risk reduction explains that an organization needs rules and that they are immensely important in defining the parameters in which teams and individuals operate. But the report suggests that rules alone are not enough, it’s how they are adopted by people when making decisions that matter. Culture is a key part of such decision making. And that ultimately when things go wrong “judgement is at the heart of nearly every business scandal that ever occurred”.

Clearly judgement is important for almost every job role and not just to prevent scandals but to improve results. But how do you measure it? Is it possible to test individuals to identify how they would react in dilemmas and what judgement that would apply? And is it possible to survey an organization to discover what people think their peers would do in difficult situations?  One answer to these questions is that you can use Situational Judgement Assessments (SJAs) to measure judgement, both for individuals and across an organization.

Questionmark has published a white paper on Situational Judgement Assessments, written by myself and Eugene Burke. The white paper describes how to assess judgement where you:

  1. Identify job roles and competencies or aspects of that role in your organization or workforce where judgement is important.
  2. Identify dilemmas which are relevant to your organization and each of which requires a choice to be made and where that choice is linked to the relevant job role.
  3. Build questions based on the dilemmas which asks someone to select from the choices –   SJA (Situational Judgement Assessment) questions.

There are two ways of presenting such questions, either to survey someone or to assess individuals on their judgement.

  • You can present the dilemma and survey your workforce on how they think others would do in such a situation. For example “Rate how you think people in the organization are likely to behave in a situation like this. Use the following scale to rate each of the options below: 1 = Very Unlikely 2 = Unlikely 3 = Neutral 4 = Likely 5 = Very Likely”.
  • You can present the dilemma and test individuals on what they personally would do in such a situation, for example as shown in the screenshot below.

You work in the back office in the team approving new customers, ensuring that the organization’s procedures have been followed (such as credit rating and know your customer). Your manager is away on holiday this week. A senior manager in the company (three levels above you) comes into your office and says that there is an important new customer who needs to be approved today. They want to place a big order, and he can vouch that the customer is good. You review the customer details, and one piece of information required by your procedures is not present. You tell the senior manager and he says not to worry, he is vouching for the customer. You know this senior manager by reputation and have heard that he got a colleague fired a few months ago when she didn’t do what he asked. You would: A. Take the senior manager’s word and approve the customer B. Call your manager’s cellphone and interrupt her holiday to get advice C. Tell the manager you cannot approve the customer without the information needed D. Ask the manager for signed written instructions to override standard procedures to allow you to approve the customer

You can see this question “live” with other examples of SJA questions in one of our example assessments on the Questionmark website at www.questionmark.com/go/example-sja.

Once you deliver such questions, you can easily report on the results segmented by attributes of participants (such as business function, location and seniority as well as demographics such as age, gender and tenure). Such reports can help indicate whether compliance will be acted out in the workplace, evaluate where compliance professionals need to focus their efforts and measure whether compliance programs are gaining traction.

SJAs can be extremely useful as a tool in a compliance programme to reduce regulatory risk. If you’re interesting in learning more about SJAs, read Questionmark’s white paper “Assessing for Situational Judgment”, available free (with registration) at https://www.questionmark.com/sja-whitepaper.

Seven Ways Assessments Fortify Compliance

Posted by John Kleeman
Picture of a tablet being used to take an assessment with currency symbols adjacentWhy do most of the world’s banks, pharmaceutical companies, utilities and other large companies use online assessments to test the competence of their employees?

It’s primarily because compliance fines round the world are high and assessments reduce the risk of regulatory compliance failures. Assessments also give protection to the organization in the event of an individual mis-step by proving that the organization had checked the individual’s knowledge of the rules prior to the mistake.

Here are seven reasons companies use assessments from my experience:

1. Regulators encourage assessments 

Some regulators require companies to test their workforce regularly. For example the US FDIC says in its compliance manual:

“Once personnel have been trained on a particular subject, a compliance officer should periodically assess employees on their knowledge and comprehension of the subject matter”

And the European Securities and Market Authority says in its guidelines for assessment of knowledge and competence:

“ongoing assessment will contain updated material and will test staff on their knowledge of, for example, regulatory changes, new products and services available on the market”

Other regulators focus more on companies ensuring that their workforce is competent, rather than specifying how companies ensure it, but most welcome clear evidence that personnel have been trained and have shown understanding of the training.

People sitting at desks with computers taking tests2. Assessments demonstrate commitment to your workforce and to regulators

Many compliance errors happen because managers pay lip service to following the rules but indicate in their behavior they don’t mean it. If you assess all employees and managers regularly, and require additional training or sanctions for failing tests, it sends a clear message to your workforce that knowledge and observance of the rules is genuinely required.

Some regulators also take commitment to compliance by the organization into account when setting the level of fines, and may reduce fines if there is serious evidence of compliance activities, which assessments can be a useful part of. For example the German Federal Court recently ruled that fines should be less if there is evidence of effective compliance management.

3. Assessments find problems early

Online assessments are one of the few ways in which a compliance team can touch all employees in an organization. You can see results by team, department, location or individual and identify who understands what and focus in on weak areas to look at improving. There is no better way to reach all employees.

4. Assessments document understanding after training

Many regulators require training to be documented. Giving someone an assessment after training doesn’t just confirm he or she attended the course but confirms they understood the training.

5. Assessments increase retention of knowledge and reduce forgetting

Can you remember everything you learned? Of course, none of us can!

There is good evidence that quizzes and tests increase retention and reduce forgetting. This is partly because people study for tests and so remind themselves of the knowledge they learned, which helps retain it. And it is partly because retrieving information in a quiz or test makes it easier to retrieve the same information in future, and so more likely to be able to apply in practice when needed.

6. By allowing testing out, assessments reduce the time and cost of compliance trainingTake test. If pass, skip training. Otherwise do training.

Many organizations permit employees to “test out” of compliance training. People can take a test and if they demonstrate good enough knowledge, they don’t need to attend the training. This concentrates training resources and employee time on areas that are needed, and avoids demoralizing employees with boring compliance training repeating what they already know.

7. Assessments reduce human error which reduces the likelihood of a compliance mis-step

Many compliance failures arise from human error. Root cause analysis of human error suggests that a good proportion of errors are caused by people not understanding training, training being missing or people not following procedures. Assessments can pick up and prevent mistakes caused by people not understanding what they should do or how to follow procedures, and so reduce the risk of error.

 

If you are interested in learning more about the reasons online assessments mitigate compliance risk, Questionmark are giving a webinar “Seven Ways Assessments Fortify Compliance” on April 11th. To register for this or our other free webinars, go to www.questionmark.com/questionmark_webinars.

GDPR: 6 months to go

Posted by Jamie Armstrong

Anyone working with personal data, particularly in the European Union, will know that we are now just six months from “GDPR day” (as I have taken to calling it). On 25-May-2018, the EU General Data Protection Regulation (“GDPR”) will become applicable, ushering in a new privacy/data protection era with greater emphasis than ever on the rights of individuals when their personal data is used or stored by businesses and other organizations. In this blog post, I provide some general reminders about what the GDPR is and give some insight into Questionmark’s compliance preparations.

The GDPR replaces the current EU Data Protection Directive, which has been around for more than 20 years. To keep pace with technology advances and achieve greater uniformity on data protection, the EU began work on the GDPR over 5 years ago and finalized the text in April 2016. There then followed a period for regulators and other industry bodies to provide guidance on what the GDPR actually requires, to help organizations in their compliance efforts. Like all businesses that process EU personal data, whether based within the U.S., the EU or elsewhere, Questionmark has been busy in the months since the GDPR was finalized to ensure that our practices and policies align with GDPR expectations.

For example, we have recently made available revised versions of our EU OnDemand service and US OnDemand service terms and conditions with new GDPR clauses, so that our customers can be assured that their agreements with us meet data controller-data processor contract requirements. We have updated our privacy policy to make clearer what personal data we gather and how this is used when people visit and interact with our website. There is also a helpful Knowledge Base article on our website that describes the personal data Questionmark stores.

GDPR

One of the most talked-about provisions of the GDPR is Article 35, which deals with data protection impact assessments, or “DPIAs.” Basically, there is a requirement that organizations acting as data controllers of personal data (meaning that they determine the purpose and means of the processing of that data) complete a prior assessment of the impacts of processing that data if the processing is likely to result in a high risk to the rights and freedoms of data subjects. Organizations will need to make a judgment call regarding whether a high risk exists to require that a DPIA be completed. There are scenarios in which a DPIA will definitely be required, such as when data controllers process special categories of personal data like racial origin and health information, and in other cases some organizations may decide it’s safer to complete a DPIA even if not absolutely necessary to comply with the GDPR.

The GDPR expects that data processors will help data controllers with DPIAs. Questionmark has therefore prepared an example draft DPIA template that may be used for completing an assessment of data processing within Questionmark OnDemand. The draft DPIA template is available for download now.

In the months before GDPR day we will see more guidance from the Article 29 Working Party and national data protection authorities to assist organizations with compliance. Questionmark is committed to helping our customers being compliant with the GDPR and we’ll post more next year on this subject. We hope this update is useful in the meantime

Important disclaimer: This blog is provided for general information and interest purposes only, is non-exhaustive and does not constitute legal advice. As such, the contents of this blog should not be relied on for any particular purpose and you should seek the advice of their own legal counsel in considering GDPR requirements.

Learning, Training and Assessments in Regulatory Compliance – Implementation Best Practices

Posted by John Kleeman

I’m pleased to let you know of a new joint SAP and Questionmark white paper on implementation best practices for learning, training and assessments in regulatory compliance. You can download the white paper here.

There has been a huge change in the regulatory environment for companies in the last few years. This is illustrated nicely by the graph below showing the number of formal warning letters the U.S. Food and Drug Administration (FDA) issued in the period from 2010 to 2016 for various compliance infractions.

Rise in FDA warning letters from 2010 to 2016, numbers increase from a few hundred a year to over 10,000 a year

Of course it’s not just letters that regulators issue, there have also been huge increases in the fines issued on companies in areas including rules breaches in banking, data protection, price-fixing and manufacturing.

Failure to effectively train or assess employees is a significant cause of compliance errors, and this white paper authored by SAP experts Thomas Jenewein, Simone Buchwald and Mark Tarallo and me (Questionmark Founder and Executive Director, John Kleeman) explains how technology can help address the issue.

The white paper starts by looking at key factors increasing the need for training, learning, and assessments to ensure that businesses stay compliant and then goes on to consider three drivers for compliance learning – Organization Imposed, Operations Critical and Regulatory. The white paper then looks at how

  • A Learning Management System (LMS) can manage compliance learning
  • Learning Content and Documentation Authoring Tools can author compliance learning
  • An Assessment Management System can be used to diagnose the training needed, to help direct learning and to check competence, knowledge and skills.

A typical LMS includes basic quiz and survey capabilities, but when making decisions about people, such as whether to promote, hire, fire, or confirm competence for compliance or certification purposes, companies need more. The robust functionality of an effective assessment management system allows organizations to create reliable, valid, and more trustworthy assessments. Often, assessment management systems and LMSs work together, and test-takers will often be directed to take assessments by using a single sign-on from the LMS.

The white paper describes how companies can use SAP SuccessFactors Learning, SAP Enable Now and Questionmark software work together productively to help companies manage and deliver effective compliance learning, training and assessments – to mitigate regulatory risk. It goes on to describe some key trends in compliance training and assessments that the authors see going forwards, including how cybersecurity and data protection are impacting compliance.

The white paper is a quick, easy and useful read – you can download it here.

Can you be GDPR compliant without testing your employees?

Posted by John Kleeman

The GDPR is a new extra-territorial, data protection law which imposes obligations on anyone who processes personal data on European residents. It impacts companies with employees in Europe, awarding bodies and test publishers who test candidates in Europe, universities and colleges with students in Europe and many others. Many North American and other non-European organizations will need to comply.

See my earlier post How to use assessments for GDPR compliance for an introduction to GDPR. The question this blog post addresses is whether it’s practical for a large organization to be compliant with the GDPR without giving tests and assessments to their employees?

I’d argue that for most organizations with 100s or 1000s of employees, you will need to test your employees on your policies and procedures for data protection and the GDPR. Putting it simply, if you don’t and your people make mistakes, fines are likely to be higher.

Here are four things the GDPR law says (I’ve paraphrased the language and linked to the full text for those interested):


1. Organizations must take steps to ensure that everyone who works for them only processes personal data based on proper instructions. (Article 32.4)

2. Organizations must conduct awareness-raising and training of staff who process personal data (Article 39.1). This is extended to include “monitoring training” for some organizations in Article 47.2.

3. Organizations must put in place risk-based security measures to ensure confidentiality and integrity and must regularly test, assess and evaluate the effectiveness of these measures. (Article 32.1)

4. If you don’t follow the rules, you could be fined up to 20 million Euros or 4% of turnover. How well you’ve implemented the measures in article 32 (i.e. including those above) will impact how big these fines might be. (Article 83.2d)


So let’s join up the dots.

Firstly, a large company has to ensure that everyone who works for it only processes data based on proper instructions. Since the nature of personal data, processing and instructions each have particular meanings, this needs training to help people understand. You could just train and not test, but given that the concepts are not simple, it would seem sensible to test or otherwise check their understanding.

A company is required to train its employees under Article 39. But the requirement in Article 32 is for most companies stronger. For most large organizations the risk of employees making mistakes and the risk of insider threat to confidentiality and integrity is considerable. So you have to put in place training and other security measures to reduce this risk. Given that you have to regularly assess and evaluate the effectiveness of these measures, it seems hard to envisage an efficient way of doing this without testing your personnel. Delivering regular online tests or quizzes to your employees is the obvious way to check that training has been effective and your people know, understand and can apply your processes and procedures.

Lastly, imagine your company makes a mistake and one of your employees causes a breach of personal data or commits another infraction under the GDPR? How are you going to show that you took all the steps you could to minimize the risk? An obvious question is whether you did your best to train that employee in good practice and in your processes and procedures? If you didn’t train, it’s hard to argue that you took the proper steps to be compliant. But even if you trained, a regulator will ask you how you are evaluating the effectiveness of your training. As a regulator in another context has stated:

“”where staff understanding has not been tested, it is hard for firms to judge how well the relevant training has been absorbed”

So yes, you can imagine a way in which a large company might manage to be compliant with the GDPR without testing employees. There are other ways of checking understanding, for example 1:1 interviews, but they are very time consuming and hard to roll out in time for May 2018. Or you may be lucky and have personnel who don’t make mistakes! But for most of us, testing our employees on knowledge of our processes and procedures under the GDPR will be wise.

Questionmark OnDemand is a trustable, easy to use and easy to deploy system for creating and delivering compliance tests and assessments to your personnel. For more information on using assessments to help ensure GDPR compliance visit this page of our website or register for our upcoming webinar on 29 June.