Do Corporate Trainers Have to Worry about GDPR?

by CoSo

October 11, 2018

It’s been a few months now since the General Data Protection Regulation (GDPR) went into effect, and I’m still getting asked: Do corporate trainers have to worry about GDPR?

The short answer is yes. My long answer? Yes, yes, absolutely yes.

Even if your organization isn’t located in the EU, if you process any personal data of people who are located in the EU, GDPR applies. Think about it. If EU citizens are attending your virtual training programs or online meetings, then you are processing data of those EU citizens—e.g., their name, contact information, quiz scores, certification levels, overall training progress, etc.—and must comply with the privacy standards of GDPR. Break the rules and you’re looking at penalties of up to 4% of worldwide annual revenue or €20 million, whichever is greater. And while GDPR’s primary purpose is to protect consumers and their data, it also protects individuals as employees. This includes those targeted by B2B marketing and, yes, the EU-based learners you’re training and collecting data on for use in personalized learning and email alerts. This also includes any images or video you might take of learners during your sessions.

So what should you do to ensure compliance? First, you must secure explicit consent to use the personal data of any of your learners before storing or processing their sensitive information. This requires you to know what data you are collecting, how you are collecting it, what you are doing with it, who is processing it and where, and how you are protecting it – whether at rest, in use, or in motion. (Adobe Connect customers can start here. CoSo Cloud customers can start here.)

You must also post privacy notices during the sign-up process that explain in clear everyday language how you collect and use learner information. Additionally, you must implement the means to respond to and, if necessary, act on the data privacy requests learners may submit to your organizations. Such GDPR-protected requests  include accessing and correcting errors, deleting or exporting data, withholding processing and more. If your learners want to know what data you maintain on them, you must provide them with that information. Any user who has accessed your system can make a data privacy request at any time, and you are required to respond in accordance with GDPR guidelines.

You’ll also want to make sure that appropriate data security is in place to prevent unauthorized access to customer data. GDPR calls this “Data protection by design and by default.” This includes binding commitments on what you’ll do if a data breach occurs, which requires in most cases that a Data Processing Addendum be in place with your customers.  Above all, if your organization has assigned a data privacy officer (another GDPR requirement), that person is best equipped to educate you on GDPR compliance and monitor your progress.

But compliance is a community effort that also involves your tech providers. CoSo Cloud, which acts a ‘data processor’ (as owner of the data, your organization is considered by GDPR as the ‘data controller’), only processes personal data in accordance with our customers’ permission and instructions. Should you require any assistance with a data privacy request, we will help you respond either through our shared processes, products, services or tools.

As for our own compliance efforts, CoSo has always maintained the highest standard of data privacy and security and is fully aligned with GDPR guidelines and requirements. Over the past year, we have updated our privacy policy to simplify the language for all users and reviewed our internal operational policies to ensure full GDPR compliance. Furthermore, CoSo Cloud is certified under the EU-US and Swiss-US Privacy Shield frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, processing, and cross-border transfer of personal data from the EU and Switzerland to the United States. By adding Privacy Shield to a growing list of certifications that also includes SOC 2 + HITRUST certification, FedRAMP ATO and HIPAA, and baking data privacy and security into the entire development process of our products, CoSo ensures its customers, regardless of industry can conduct high consequence virtual training and meetings safely and securely. We never sell or otherwise release customer data, analytics, or usage to third parties.

Check out this FAQ to learn more about CoSo’s GDPR efforts.