The Nineteen Responsibilities of an Assessment Data Controller under the GDPR
Posted by John Kleeman
Back in 2014, Questionmark produced a white paper covering what at the time was a fairly specialist subject – what assessment organizations needed to do to ensure compliance with European data protection law. With the GDPR in place in 2018, with its extra-territorial reach and potential of large fines, the issue of data protection law compliance is one that all assessment users need to consider seriously.
Myself, Questionmark Associate Legal Counsel Jamie Armstrong and Questionmark CEO Eric Shepherd have now rewritten the white paper to cover the GDPR and published it this week. The white paper is called “Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities”. I’m pleased to give you a summary in this blog article.
To remind you, a Data Controller is the organization responsible for making decisions about personal data, whereas a Data Processor is an organization who processes data on behalf of the Data Controller. As shown in the diagram, a Data Processor may have Sub-Processors. In the assessment context, examples of Data Controllers might be:
- A company that tests its personnel for training or regulatory compliance purposes;
- A university or college that tests its students;
- An awarding body that gives certification exams.
Data Processors are typically companies like Questionmark that provide services to assessment sponsors. Data Processors have significant obligations under the GDPR, but the Data Controller has to take the lead. Back in 2014, we considered there were typically 12 responsibilities for an assessment Data Controller. Our new white paper suggests there are now 19. The GDPR significantly expands the responsibilities Data Controllers have as well as makes it clearer what needs to be done and the likely penalties if it is not done.
The 25 page white paper:
- Gives a summary of European data protection law
- Describes what we consider to be the 19 responsibilities of a Data Controller (see diagram)
- Gives Data Controllers a checklist of the key measures they need from a Data Processor to be able to meet these responsibilities
- Shares how Questionmark helps meet the responsibilities
- Comments on how the GDPR by pushing for accuracy of personal data might encourage more use of valid, reliable and trustworthy assessments and benefit us all
The white paper is useful reading for anyone who delivers tests and exams to people in Europe – whether using Questionmark technology or not. Although we hope it will be helpful, like all our blog articles and white papers, this article and the white paper are not a substitute for legal advice specific to your organization’s circumstances. You can see and download all our white papers at www.questionmark.com/learningresources and you can directly download this white paper here.