Data Protection Online Training

Whether it's data protection, information security, occupational safety, compliance or artificial intelligence; nearly all companies and organisations must consider how to adequately train their employees. The requirements are high.

No Disruption to Everyday Work

Training employees is, in most cases, not the core business of a company or organisation. Mandatory training as well as optional additional training; should therefore be integrated into the working day as seamlessly and with as little disruption as possible.

Flexibility with Time

This means, on the one hand, that employees should have the option to complete their mandatory training with relative flexibility in terms of time. Of course, mandatory training should not be delayed for too long, but a few days, or the specific time of day, are usually not critical, especially when employees are engaged in other time-sensitive projects. Conducting the training online via flexible eLearning is a smart solution.

Flexibility with Devices (Mobile Learning)

Flexibility in terms of the device used is also essential. Once the decision has been made to fulfil training obligations online through eLearning, it shouldn't matter which device employees use to complete the training. Some may prefer to complete the training at their desk on a laptop or desktop PC, while others may prefer to do so on the go, on a laptop, tablet, or smartphone. A good eLearning solution should, therefore, always offer the possibility of "mobile learning" at the employees' convenience. It's essential to provide multiple options and take this into account when selecting the eLearning system or Learning Management System (LMS).

Accountability is Essential!

If, for example, an employer provides online data protection training but later cannot prove it, they may face problems if auditors, supervisory authorities, or other reviewers inquire about it. Keeping attendance records or certificates is, therefore, a critical aspect of online training. At this point, it quickly becomes apparent that an LMS is indispensable. The LMS should enable automated creation and tracking of attendance records. This ensures that one can face the next audit with ease.

Managing Participants

When a system needs to be tailored to the needs of different staff members all processes should be as smart and automated as possible. Questions to be answered include: How are employees added to the LMS? How are new and departing employees managed? And how can participant management be streamlined to avoid overburdening an already busy HR department? The magic word here is "interfaces." Almost all tasks related to participant management can be automated, through interfaces. Whether it's Active Directory or Microsoft Entra ID, most companies and organisations manage their users in such directory services. Therefore, an LMS that synchronises with the directory service for participant management, and possibly incorporates additional metadata to manage different training sessions, is invaluable in terms of both time and resources.

Pedagogy and Entertainment

Returning to our original example, an online data protection training delivered as an eLearning course should address the key points while remaining engaging. A training session that leaves participants feeling bored, even if they receive a certificate, serves little purpose because engagement and retention of material are closely linked. Since the goal is to encourage data protection-compliant behaviour among employees or to prevent issues such as fines, reputational damage, or loss of trust, engagement by using, fun, interesting and thought provoking courses is paramount to success.

Once Again: Flexibility

Perhaps in your search for suitable courses, you've come across various training providers. You may already have a customised training programme in PowerPoint that you'd like to deploy. Content developed in-house, as well as third-party content, should also be easily integrated into a good LMS. Fortunately, standards have been established here, particularly the SCORM standard, which a quality LMS should support.

Security

Security is, of course, another critical consideration, especially when participant data is managed within an LMS. If the LMS is used as Software as a Service (SaaS), there’s no need to worry about patches, updates, or server security. However, a data processing agreement must be signed with the provider. The LMS should also offer enhanced security for employees responsible for training. Features like two-factor authentication and/or IP address restriction for such user groups should be standard. The security of the data centre hosting the LMS also plays an important role. Ideally, the provider should host the LMS in a data centre certified to ISO/IEC 27001 standards. However, even the best data centre won't help if the LMS itself is insecure. LMS providers should not shy away from ensuring secure development and regular pen tests, and they should not pass these responsibilities onto customers. Ideally, the provider conducts regular pen tests and provides evidence of them to their customers. Only in this way can vulnerabilities be detected and fixed in a timely manner.

Data Protection

The list goes on, as data protection is another critical factor when choosing an LMS. Does the provider have their headquarters within the EU, and do they only use data centres located in the EU and operated by EU-based companies? If entities outside the EU are involved, assessments of data protection adequacy, including potential "Transfer Impact Assessments," may be necessary. To simplify matters, it's advisable to choose a provider where both they and all involved parties are based in the EU. Those who value development or hosting in Germany can look for the "Software Made in Germany" and "Software Hosted in Germany" seals from the Bundesverband IT-Mittelstand e.V., which confirm these criteria.

Occasionally, data protection challenges may arise in an LMS from another angle. This often concerns features such as internal "leaderboards" – for instance, who completed which training and how they compare to others. What some providers promote as "gamification" may be viewed differently by data protection officers, employee representatives, and perhaps even participants themselves. A light touch is needed here! In addition, data protection should be scrutinised more broadly: What data does the LMS store? Is there any tracking of users on the login page or afterwards? Does the LMS provider use the data for their own purposes, and what cookies are set, to name just a few considerations.

AI Regulation

It’s also worth examining providers who advertise that their LMS uses artificial intelligence (AI). While the use of AI can be beneficial, it must be applied responsibly. If AI is used to monitor employees or in an educational context, the company or organisation using the LMS may be deemed the operator of a high-risk AI system under the AI Regulation. This could bring significant obligations. AI systems in training content also matter, as from 2 August 2026, certain transparency obligations will apply, which can be easily met with a notice on the first training slide, for example, stating that the training contains content, images, videos, text, audio, or deepfakes generated by AI.

Costs

Last but not least, the cost of an LMS and its content is a major factor. Providers who operate with the necessary cost transparency and offer reasonable pricing should be prioritised.

Conclusion

If you've read this far, you've come a long way. And if you’re now wondering where to find a provider that meets all these criteria, you’ve come to the right place! Feel free to give us a call, and we’ll take care of your training needs. We will, of course, also explain how we meet all the above points so that nothing stands in the way of your online data protection training or any other topics.