Financial advice the Amazon way

By Mark McClelland

Financial adviceFinancial advice for consumers is not a happy place. Government and regulators are trying their best to improve the market and safeguard individuals’ finances. But the industry seems to doubt progress.

A major review – the Financial Advice Market Review (FAMR) – was launched by HM Treasury and the Financial Conduct Authority (FCA) two years ago. They wanted to ensure that the financial advice market was working properly for consumers – delivering affordable and accessible advice. The issue was urgent after big changes such as the government pension reforms which means people could access all the cash from pension pots previously locked away.

Continue reading


8 pointers for learning enablement

By Carole Bower

How do you ‘enable’ learning? That’s a question that many Learning and Development people are asking right now as they strive to become “invisible” – a term Bersin uses to describe “a mind-set and approach that enables and assists learning wherever and whenever it occurs in an organization”.

invisible L&D

Self-directed learning, invisible L&D and learning enablement are all big themes for Lumesse right now. In the latest edition of The Curve magazine, I wrote about how organisations are shifting from a top-down learning approach to the enablement of self-directed learning, and our recent Think Tank event revealed that the organisations we invited had a consensus view on the validity of an invisible L&D function (as long as the importance of L&D was acknowledged and the results were not invisible!).

The Curve: issue 4

So back to the big question – how can L&D switch their focus from creators and distributors of learning to the enablement of learning, where the impact is definitely felt?

Continue reading


SAR: new guidance from the Information Commissioner

By Mark McClelland

SARAn updated code of practice promises to make life tougher to comply with data protection law.

The new guidance from the Information Commissioner – the UK’s independent data protection regulator – makes it clear that there is a ‘high expectation’ that organisations should be providing information in response to a subject access request (SAR).

Changes have been put in place to reflect recent case law. The burden of proof will be on data controllers – those enterprises that hold personal information about individuals – to show that they took all reasonable steps to comply with the SAR.

The guidance from the Information Commissioner’s Office (ICO) does say that data controllers are only required to carry out ‘a reasonable and proportionate’ search for personal data.

These changes are significant and are set to impact virtually every organisation of any size in the UK. The ICO says that it has more than 400,000 registered data controllers on its books.

So every one of those 400,000 needs to individually work out what the updated guidance means for them. The next step will be to set out a strategy for implementing the changes and updating the learning and training of their staff responsible for data protection.

The Curve: Financial Services Edition

Lumesse has been talking to some of those affected who are raising concerns that the new guidance could lead to a sudden flood of SARs and that the process of responding to those SARs could become more onerous. Those fears are based on two aspects in the updated guidance:

First, that it is good practice for the Data Controller to have an open conversation with the applicant about the information they require. If a complaint were lodged about the Data Controller’s handling of the SAR then the ICO would take into account the level of co-operation shown by the applicant, as well as the willingness of the enterprise to hold a conversation.

Secondly, the applicant’s motive for making the SAR is irrelevant. Although if there has been an abuse of practice by the applicant then the court could use its discretion not to order compliance.

Allowing individuals to find out what personal data you hold about them, why you hold it and who you disclose it to is seen as fundamental to good information-handling practice. The right, now known as ‘subject access’ is set out in section 7 of the Data Protection Act 1998.

While many think of SARs coming from customers or users (such as patients in the NHS), they can also come from employees and ex-employees. Indeed it was on the employee/employer area where recent case law focussed.

The Court of Appeal gave judgement in the first half of 2017 in three cases which should be helpful to employers in giving more precise scope of their obligations in responding to SARs from employee/ex-employees. The Appeal Court said that a SAR could come via social media or email it did not need to be a request made in a letter; employers cannot refuse SARs simply because they believe they are fishing expeditions gathering evidence for litigation; but a SAR could be refused if its sole purpose was to antagonise.

The judgement confirmed that a SAR requires employers to carry out a ‘reasonable and proportionate’ search for personal data. While that may put some limit on the time and expense lawyers are saying that a proportionate search may still be extensive, particularly for large employers. So arguing that a potential search is not proportionate will not provide an easy get out.

Where an employer receives a broad and generalised request for all personal data which might be many documents, the employer should not refuse to comply. Instead they should first seek to clarify the specific data required, for example by asking for a date range and names or subject headings to search. In other words back to that conversation. And data controllers have to bear in mind that when they receive a SAR the clock starts ticking: they have 40 days to comply with the request.

And while organisations are still coming to grips with this latest updated guidance from the Information Commissioner, they should be aware that more changes are coming down the tracks.

Data Protection reforms the government announced in August 2017 set out a whole raft of measures to keep data protection relevant in today’s internet economy. This includes a promise to improve data access even further with individuals promised that they will find it easier to find out what personal data an organisation holds about them at no charge. Although organisations will not have to comply if the request is ‘manifestly unfounded or excessive.’

The Government envisages that in years to come Data Controllers will provide better information on how to access information and empower people to take ownership, including ensuring the information is correct.

Now more than ever the correct handling of personal data is becoming a critical issue for enterprises. With changes coming thick and fast everyone concerned with handling data needs to be up to date with data protection law and regulations.

All this has huge ramifications for those who handle personal data every day.

While off-the-shelf learning solutions may cover a lot of ground, enterprises also need to think how best to engage the workforce to ensure the right level of awareness on the bespoke specific learning that data protection compliance is demanding.

For further information and help with SAR please contact Mark McClelland – Key Account Manager Financial Services. mark.mcclelland@lumesse.com / 07774 758717


GDPR: Clock ticking for implementing new data protection rules

By Mark McClelland

Many European companies face a race against time to comply with stricter rules on dealing with customer data that will come into force next Spring. Failure to comply with the new rules – set out in the European Union’s General Data Protection Regulation (GDPR) – would far outstrip the cost of investment in providing staff with the learning they need, yet many organisations have not yet put the necessary training in place.

From May 2018, firms who breach the new data laws face a maximum fine of 4% of the previous year’s annual global turnover or €20 million, whichever is the higher. The implementation of updated data rules is happening at a time when serious data breaches have caught out well-known companies across different sectors. But recent research by data management consultancy Consult Hyperion suggests that financial institutions are particularly at risk. The consultancy is estimating that the fines levied by the new regime could reach €5 billion in the first three years.

With many organisations so unprepared for the introduction and with time running out, L&D professionals should be looking to see how they can ensure employees have the knowledge they need. However, since GDPR is all about making a change in attitudes and behaviours – how can they make sure the training they introduce is not just a box-ticking exercise that fails to have any effect on what people actually do?

Data Protection

Gamification boosts engagement with compliance learning

At Lumesse we have helped many firms successfully comply with the increasing amount of complex regulation organisations find coming at them in sectors like financial services. And we have found gamification approaches to be highly successful in getting learners to engage with what can often be a fairly dry subject matter such as GDPR.

Gamification helps practice real-life situations and challenges in a safe environment and can provide:

  • A better learning experience where learners can have a good time yet still learn because the engagement is high
  • Behavioural change, especially when combined with scientific principles of spaced repetition

These aspects that touch and impact learners can create a significant performance gain for the organisations, helping to ensure they can comply with the new data protection regulations. And a gamified approach does not necessarily have to mean longer lead times – which is crucial, given the urgency GDPR will have for many right now, and the May 2018 deadline.

Lumesse_Compliance_Training_Game

GDPR and financial services

Our recent conversations with financial services companies suggest that working on GDPR is becoming an urgent task that they know they have to tackle.

And those conversations are backed up by a recent survey from Computer Weekly which suggests that more than half of financial service companies are prioritising data protection regulation as they realise that the clock is ticking down on the 28 May 2018 deadline.

But while 52% of organisations may be starting to gear up, it means that a significant majority risk being caught by surprise and so poorly prepared.

So what is GDPR all about?

The objective of GDPR is to strengthen data privacy and protection for all EU citizens. It looks to do that by placing new obligations on organisations.

These include:

  • Having to build privacy into systems by design – and switched on by default
  • Conducting regular privacy impact assessments
  • Implementing stronger consent mechanism – particularly when processing data that relates to or pertain to minors
  • Following stricter procedures for reporting data breaches and
  • Documenting use of personal data in far more detail than before

Just one of these would be a big enough IT, compliance and learning challenge. Taken together it represents a significant risk which needs to be urgently addressed to avoid GDPR becoming overwhelming.

Alongside adapting processes and systems in line with the new regulation, organisations need to ensure that those responsible for data and data processing understand the overall objectives of GDPR and understand the system and process changes their business has made in response.

With the rise of modern IT management practices – notably the use of the Cloud – companies must be aware that it is not just their own processes and system that must be compliant.

They also have to monitor the progress of GDPR compliance by IT suppliers.

This is an especially key factor in the financial services sector, where over the last few years firms have become increasingly reliant on IT service providers, including cloud suppliers.

While GDPR does represent an enormous change, it should provide opportunities as well for organisations in the long run; currently Europe has a mish-mash of different European regimes. But from May 2018 the plethora of individual country data protection regimes will be replaced by a harmonised approach.

However, companies also need to be aware that the new regime applies to organisations across the world. Any company that processes personal data on EU citizens whether they reside in the EU or elsewhere in the world will need to comply by the GDPR.

With exchange of data across the globe increasing as part of international trade, companies from elsewhere in the world doing business with the EU need to be aware of these regulations.

Trade partners will want to ensure that the GDPR regulations do not hinder their ability to market and sell their products and services in the EU.

The new international aspect of GDPR adds another dimension of GDPR compliance. Companies which may never had heard of the EU’s data protection laws may need to be compliant.

With so many aspects to consider and with the GDPR deadline fast approaching, companies may be tempted to look for an off the shelf (OTS) learning solution. And while OTS can be effective in many situations this may not work for GDPR because of the many differing ways of storing, handling, manipulating and using personal data.

Whatever strategy is best for GDPR compliance learning, companies need to be setting the direction now. Whether in the end firms decide to buy or to build, Lumesse can offer support and advice for either path. We already work with some of the leading global financial services organisations including Barclays, Lloyds Banking Group and Metro Bank and therefore have a strong understanding of the sector.

This is the biggest overhaul of data protection law in 25 years; it is vital to get it right!

 

For further information and help with GDPR please contact Mark McClelland – Key Account Manager Financial Services. mark.mcclelland@lumesse.com / 07774 758717


Lumesse Learning grows digital skills for 230,000 employees

By Trudi Taylor

Growing digital skills

Lumesse Learning is proud to announce a new client relationship with a global professional services firm, which has selected Lumesse Learning to create a learning programme for all staff across all its regions and service lines.

This programme aims to build a basic fluency in digital transformation and how client-facing teams can help their clients navigate the digital landscape.

Lumesse Learning’s response to the brief is an engaging, dynamic digital learning experience which:

• Uses videos and case studies to gain emotional buy-in and to humanise the subject matter

• Raises confidence levels through practical support resources

• Makes the complex simple through animation and interactive graphics

Andrea Miles, General Manager for Lumesse Learning, said: ‘Digital transformation is a subject close to our hearts as a digital company, and with a learning team based in Brighton, one of the UK’s most innovative and exciting digital hubs, we felt this was a dream brief for us. We are delighted to welcome a new addition to the roster of our many loyal customers, and look forward to working closely with them to fulfil the needs of their business.’