Category Archives: compliance

Compliance award at Brandon Hall Excellence Awards

By Trudi Taylor

Silver award

Lumesse Learning and American Express Global Business Travel have been awarded silver at the Brandon Hall Excellence in Learning Awards 2017 in the category of Best Advance in Compliance Training.

American Express Global Business Travel was keen to take a new approach to their compliance learning to make it more engaging and relevant. With their vision ‘the future of learning is personal’ in mind, Lumesse Learning created a campaign approach featuring e-learning modules, videos, blog posts, posters, and intranet banners.

Continue reading


Financial advice the Amazon way

By Mark McClelland

Financial adviceFinancial advice for consumers is not a happy place. Government and regulators are trying their best to improve the market and safeguard individuals’ finances. But the industry seems to doubt progress.

A major review – the Financial Advice Market Review (FAMR) – was launched by HM Treasury and the Financial Conduct Authority (FCA) two years ago. They wanted to ensure that the financial advice market was working properly for consumers – delivering affordable and accessible advice. The issue was urgent after big changes such as the government pension reforms which means people could access all the cash from pension pots previously locked away.

Continue reading


SAR: new guidance from the Information Commissioner

By Mark McClelland

SARAn updated code of practice promises to make life tougher to comply with data protection law.

The new guidance from the Information Commissioner – the UK’s independent data protection regulator – makes it clear that there is a ‘high expectation’ that organisations should be providing information in response to a subject access request (SAR).

Changes have been put in place to reflect recent case law. The burden of proof will be on data controllers – those enterprises that hold personal information about individuals – to show that they took all reasonable steps to comply with the SAR.

The guidance from the Information Commissioner’s Office (ICO) does say that data controllers are only required to carry out ‘a reasonable and proportionate’ search for personal data.

These changes are significant and are set to impact virtually every organisation of any size in the UK. The ICO says that it has more than 400,000 registered data controllers on its books.

So every one of those 400,000 needs to individually work out what the updated guidance means for them. The next step will be to set out a strategy for implementing the changes and updating the learning and training of their staff responsible for data protection.

The Curve: Financial Services Edition

Lumesse has been talking to some of those affected who are raising concerns that the new guidance could lead to a sudden flood of SARs and that the process of responding to those SARs could become more onerous. Those fears are based on two aspects in the updated guidance:

First, that it is good practice for the Data Controller to have an open conversation with the applicant about the information they require. If a complaint were lodged about the Data Controller’s handling of the SAR then the ICO would take into account the level of co-operation shown by the applicant, as well as the willingness of the enterprise to hold a conversation.

Secondly, the applicant’s motive for making the SAR is irrelevant. Although if there has been an abuse of practice by the applicant then the court could use its discretion not to order compliance.

Allowing individuals to find out what personal data you hold about them, why you hold it and who you disclose it to is seen as fundamental to good information-handling practice. The right, now known as ‘subject access’ is set out in section 7 of the Data Protection Act 1998.

While many think of SARs coming from customers or users (such as patients in the NHS), they can also come from employees and ex-employees. Indeed it was on the employee/employer area where recent case law focussed.

The Court of Appeal gave judgement in the first half of 2017 in three cases which should be helpful to employers in giving more precise scope of their obligations in responding to SARs from employee/ex-employees. The Appeal Court said that a SAR could come via social media or email it did not need to be a request made in a letter; employers cannot refuse SARs simply because they believe they are fishing expeditions gathering evidence for litigation; but a SAR could be refused if its sole purpose was to antagonise.

The judgement confirmed that a SAR requires employers to carry out a ‘reasonable and proportionate’ search for personal data. While that may put some limit on the time and expense lawyers are saying that a proportionate search may still be extensive, particularly for large employers. So arguing that a potential search is not proportionate will not provide an easy get out.

Where an employer receives a broad and generalised request for all personal data which might be many documents, the employer should not refuse to comply. Instead they should first seek to clarify the specific data required, for example by asking for a date range and names or subject headings to search. In other words back to that conversation. And data controllers have to bear in mind that when they receive a SAR the clock starts ticking: they have 40 days to comply with the request.

And while organisations are still coming to grips with this latest updated guidance from the Information Commissioner, they should be aware that more changes are coming down the tracks.

Data Protection reforms the government announced in August 2017 set out a whole raft of measures to keep data protection relevant in today’s internet economy. This includes a promise to improve data access even further with individuals promised that they will find it easier to find out what personal data an organisation holds about them at no charge. Although organisations will not have to comply if the request is ‘manifestly unfounded or excessive.’

The Government envisages that in years to come Data Controllers will provide better information on how to access information and empower people to take ownership, including ensuring the information is correct.

Now more than ever the correct handling of personal data is becoming a critical issue for enterprises. With changes coming thick and fast everyone concerned with handling data needs to be up to date with data protection law and regulations.

All this has huge ramifications for those who handle personal data every day.

While off-the-shelf learning solutions may cover a lot of ground, enterprises also need to think how best to engage the workforce to ensure the right level of awareness on the bespoke specific learning that data protection compliance is demanding.

For further information and help with SAR please contact Mark McClelland – Key Account Manager Financial Services. mark.mcclelland@lumesse.com / 07774 758717


GDPR: Clock ticking for implementing new data protection rules

By Mark McClelland

Many European companies face a race against time to comply with stricter rules on dealing with customer data that will come into force next Spring. Failure to comply with the new rules – set out in the European Union’s General Data Protection Regulation (GDPR) – would far outstrip the cost of investment in providing staff with the learning they need, yet many organisations have not yet put the necessary training in place.

From May 2018, firms who breach the new data laws face a maximum fine of 4% of the previous year’s annual global turnover or €20 million, whichever is the higher. The implementation of updated data rules is happening at a time when serious data breaches have caught out well-known companies across different sectors. But recent research by data management consultancy Consult Hyperion suggests that financial institutions are particularly at risk. The consultancy is estimating that the fines levied by the new regime could reach €5 billion in the first three years.

With many organisations so unprepared for the introduction and with time running out, L&D professionals should be looking to see how they can ensure employees have the knowledge they need. However, since GDPR is all about making a change in attitudes and behaviours – how can they make sure the training they introduce is not just a box-ticking exercise that fails to have any effect on what people actually do?

Data Protection

Gamification boosts engagement with compliance learning

At Lumesse we have helped many firms successfully comply with the increasing amount of complex regulation organisations find coming at them in sectors like financial services. And we have found gamification approaches to be highly successful in getting learners to engage with what can often be a fairly dry subject matter such as GDPR.

Gamification helps practice real-life situations and challenges in a safe environment and can provide:

  • A better learning experience where learners can have a good time yet still learn because the engagement is high
  • Behavioural change, especially when combined with scientific principles of spaced repetition

These aspects that touch and impact learners can create a significant performance gain for the organisations, helping to ensure they can comply with the new data protection regulations. And a gamified approach does not necessarily have to mean longer lead times – which is crucial, given the urgency GDPR will have for many right now, and the May 2018 deadline.

Lumesse_Compliance_Training_Game

GDPR and financial services

Our recent conversations with financial services companies suggest that working on GDPR is becoming an urgent task that they know they have to tackle.

And those conversations are backed up by a recent survey from Computer Weekly which suggests that more than half of financial service companies are prioritising data protection regulation as they realise that the clock is ticking down on the 28 May 2018 deadline.

But while 52% of organisations may be starting to gear up, it means that a significant majority risk being caught by surprise and so poorly prepared.

So what is GDPR all about?

The objective of GDPR is to strengthen data privacy and protection for all EU citizens. It looks to do that by placing new obligations on organisations.

These include:

  • Having to build privacy into systems by design – and switched on by default
  • Conducting regular privacy impact assessments
  • Implementing stronger consent mechanism – particularly when processing data that relates to or pertain to minors
  • Following stricter procedures for reporting data breaches and
  • Documenting use of personal data in far more detail than before

Just one of these would be a big enough IT, compliance and learning challenge. Taken together it represents a significant risk which needs to be urgently addressed to avoid GDPR becoming overwhelming.

Alongside adapting processes and systems in line with the new regulation, organisations need to ensure that those responsible for data and data processing understand the overall objectives of GDPR and understand the system and process changes their business has made in response.

With the rise of modern IT management practices – notably the use of the Cloud – companies must be aware that it is not just their own processes and system that must be compliant.

They also have to monitor the progress of GDPR compliance by IT suppliers.

This is an especially key factor in the financial services sector, where over the last few years firms have become increasingly reliant on IT service providers, including cloud suppliers.

While GDPR does represent an enormous change, it should provide opportunities as well for organisations in the long run; currently Europe has a mish-mash of different European regimes. But from May 2018 the plethora of individual country data protection regimes will be replaced by a harmonised approach.

However, companies also need to be aware that the new regime applies to organisations across the world. Any company that processes personal data on EU citizens whether they reside in the EU or elsewhere in the world will need to comply by the GDPR.

With exchange of data across the globe increasing as part of international trade, companies from elsewhere in the world doing business with the EU need to be aware of these regulations.

Trade partners will want to ensure that the GDPR regulations do not hinder their ability to market and sell their products and services in the EU.

The new international aspect of GDPR adds another dimension of GDPR compliance. Companies which may never had heard of the EU’s data protection laws may need to be compliant.

With so many aspects to consider and with the GDPR deadline fast approaching, companies may be tempted to look for an off the shelf (OTS) learning solution. And while OTS can be effective in many situations this may not work for GDPR because of the many differing ways of storing, handling, manipulating and using personal data.

Whatever strategy is best for GDPR compliance learning, companies need to be setting the direction now. Whether in the end firms decide to buy or to build, Lumesse can offer support and advice for either path. We already work with some of the leading global financial services organisations including Barclays, Lloyds Banking Group and Metro Bank and therefore have a strong understanding of the sector.

This is the biggest overhaul of data protection law in 25 years; it is vital to get it right!

 

For further information and help with GDPR please contact Mark McClelland – Key Account Manager Financial Services. mark.mcclelland@lumesse.com / 07774 758717


How L&D can help line managers to support learning

By Duncan Barrett

website_blog_300x170While many organisations are looking at how best to support a culture of learning and meet the needs of self-directed learners, many are still dealing with the challenge of engaging employees around content that needs to be delivered and understood by its workforce, whether for compliance or operational reasons.

For L&D teams facing this challenge, the most important ally must surely be the line manager.

We explore these themes in our webinar: Learning in the Line: L&D, line managers & the self-directed learner 

Line managers form a silent (or not so silent) army of support that is ready, willing and able to guide their teams in meeting the challenges of uncertainty and complexity that are sweeping through the world of work as we know it … Well – something along those lines!

In truth, line managers are pulled in multiple directions to meet the needs of the organisation as well as their team.

Continue reading


How adaptive pathways make digital learning more elastic

By Nicholas Murphy

Close-up elastic band to illustrate making digital learning more elasticOne of the key challenges for digital learning design is creating solutions that meet the needs of all learners. Risk often drives decision-making when it comes to content: if we don’t know how much people already know, we create content that tries to teach everybody everything, regardless of their level of expertise. This is particularly true for any training that is driven by a regulatory or compliance motivation.

Challenging this approach has become a key driver for us at Lumesse in moving, with our clients, towards a more personalised, learner-centric dynamic.

Typically, courses teach and then test: it’s the foundation of most e-learning. But that model is founded on an assumption that the audience will have a low baseline of understanding. The reality, however, is that most learner populations will already know quite a bit about a given topic (even if some of that ‘knowledge’ comes from hearsay, myth or legend!).

One sure way of making the learner switch off is to make them sit through a lot of material they know already. So reversing the teach-test structure and running an initial diagnostic has been a principle in learning for some time. Test me first, teach me what I don’t know, and then test me again.

However, both of these approaches are limited. They work for content you need to remember, but much less well for behavioural competency, where we need to feed the subconscious to drive behavioural changes.

Increasingly, we are beginning to use adaptive learning paths to increase the effectiveness of digital learning. Here’s how it works.

Continue reading


How to drive maximum adoption for your digital learning programme

By Steve George

Diagram explaining the AIDA acronymPicture the scene …

You’ve been working hard. You’ve spent months building up to this event (if only everyone knew the sacrifices you’d made!). Everything comes down to this moment.

Last week you pressed the button and launched your career-defining, world-changing, learner-enhancing, company-building, brain-expanding digital learning programme, and now, with trembling hands and a heart pounding with excitement, you are going in to get the reports to show what a massive earthquake of an impact it’s had …

Only it hasn’t.

Never mind an earthquake, your career-defining, world-changing, learner-enhancing, etc. course hasn’t even created a modest tremor. Surely this can’t be right! No-one has even looked at it?

You run the report again, double-checking all your parameters, and find that yes, it’s true … not a single person has so much as cast a glance at it.

Imagine the crushing disappointment! How did this happen?

Continue reading


Towards Maturity points the way forward for L&D

By John Helmer

Knob labelled risk turned to minimumIn an industry that tends to lapse into inspirational memes at the drop of a hat, we too often spout motherhood statements about innovation while conveniently ignoring its more troubling flip side, risk.

There is no innovation without risk. And this, one could argue, is the nub of the problem faced currently by L&D in the UK as revealed within the pages of Embracing Change, the industry benchmark report released this week by Towards Maturity. The risky business of learning innovation seems just too rich for the blood of many in training, a branch of the enterprise that, historically, has not had that much to do with the sort of high-stakes investments that digital transformation often requires.

Partly in consequence of its back story, training has lagged in adoption of digital technology when compared to its swankier cousins, marketing and finance. By comparison, training comes across in the numbers (if not in the rhetoric) as unadventurous and risk-averse. Course-based, stand-up training is still massively dominant in UK organisations, and training continues to be seen as a cost centre, rather than as the engine of growth and competitive advantage.

However. While the headline result of this year’s benchmark research – ‘70% of L&D teams fail to improve business productivity’ – might seem dispiriting; and Clive Shepherd, for one, pulled no punches in pointing out exactly how ‘stuck’ the report shows L&D to be, there are clear indications in the report of what L&D should do to improve this situation, and a growing evidence base on which it can draw in doing so.

Continue reading


Hi-vis learning: how to do elearning without computers

By John Helmer

Two men on a hardhat site consulting a tablet computerHow do you do online learning when the workforce isn’t online? Sounds like an impossible brief? Well I’ve been talking to the account team at Lumesse Learning who are increasingly taking on just such briefs – and this is definitely not the non-starter it might sound like at first hearing.

In certain parts of industry – within the fast-growing service sector, for instance – large swathes of the workforce don’t come into contact with any sort of computer from one week to the next – let alone a computer with internet access. Think of the vast managed services industry, which supplies legions of cleaners, drivers, security guards and traffic wardens. Or Transport, or Energy – or the building trade: industries that employ legions of people in hi-vis tabards who are very much ‘in the field’ and don’t sit down at a desk to work.

Large companies that do this kind of work need the power and scale offered by digital learning at its best as much, if not more than, organisations where staff are plugged into their desktops all day long. Many have strong compliance drivers and large workforces. But sometimes it seems that the learning technologies crowd simply don’t see this problem.

Too often it seems that, so far as the elearning community is concerned, digital learning is just for people who measure out their days with coffee cups and post-it notes, sat at desktop computer and plugged into the corporate network.

However, we at Lumesse Learning love nothing more than a challenge. And more and more, it seems, we are rising to this particular challenge of creating learning programmes for staff who don’t work in offices – online learning for people who aren’t online.

Here’s how we’re doing it.

Continue reading


Is compliance learning even a thing?

By John Helmer

Graphic showing clipboards in different shaped bordersWhy do we persist in talking about compliance learning as if it were one thing when actually it’s many different things? Achieving financial compliance for a bank doesn’t really have that much in common with ensuring HSE compliance on an offshore oil rig – and technical compliance for product development is something else again. So surely the training should be quite distinct too in each case? When you look close up, compliance is such a different beast from sector to sector that it surely begs the question: is compliance learning even a meaningful category?

It might seem strange to ask this. Looking at recent research, ATD (formerly ASTD) identifies ‘Mandatory and Compliance’ as the number one content area in its 2014 ‘State of the Industry’ report, and Brandon Hall Group’s research indicates that 49% of US organizations consider compliance training to be either a priority or critical to their business. Compliance training represents a significant slab of revenues for the global training industry and – although reliable industry figures are thin on the ground here – an even larger proportion of elearning revenues, by all accounts.

However, although compliance learning is clearly a well established category so far as the vendor market is concerned, do customers view it that way? I suspect not.

Continue reading