Handling Mandatory Training Courses from a Compliance Perspective

In today's blog post, we address a topic that concerns every company and authority, and one that is sometimes more complex in practical implementation than it may initially seem. Specifically, we are discussing mandatory training and how to carry them out in practice. We examine the question of establishing processes that are watertight and meet the high requirements of accountability. A brief warning at this point: This blog post will be a bit longer, but it provides concrete solutions at the end. But let's start from the beginning.

What mandatory training actually needs to be done?

The question of which courses are or should be is still unanswered in many organizations. Initially, a survey should be conducted to systematically capture legally mandatory training courses. The requirements may vary depending on the organization or authority, but the following mandatory courses are relevant for almost every organization:

• General occupational safety,
• General behaviour in case of fire,
• General data protection training,
• General information security training.

These courses are normally mandatory by law and come under protections laws such as (e.g., the Occupational Safety Act and the General Data Protection Regulation), or indirectly from the requirements of supervisory authorities.

In addition to general mandatory training, many other courses may be required depending on the organization. For example, organizations aiming for an ISO 27001 certification (a highly recognized certification for information security management) must sensitize their employees to the threat of "Social Engineering." Organizations working with hazardous substances must offer detailed additional training on specific occupational safety. The spectrum varies widely depending on the organization, so it makes sense to conduct an individual survey within the organization in order to ascertain which course should be mandatory. A person should be designated to take responsibility for handling this survey within the organization (e.g., a person from the HR department or the compliance officer). Relevant functional roles in the organization, if present, should also be involved in this survey, such as:

• Occupational safety officer,
• Data protection officer,
• Information security officer,
• Compliance officer,
• Fire safety officer. 

The goal should be to create a training plan that not only defines mandatory training courses but also establishes the frequency with which these coursesshould take place. This interval will typically be one to two years depending on the training course. Courses can either be repeated within this time frame s, or more advanced follow up training should be offered.

It should also be noted that new employees must be trained in a timely manner. We recommend conducting basic training within the first six weeks.

How to conduct mandatory training

There are various ways to conduct mandatory training. These include:

• On-site or video conference training,
• eLearning courses,
• Special awareness campaigns.

In practice, it often makes sense to work with a mixed concept of different training methods. However, especially in larger organizations, eLearning often plays a central role. The organization must ensure that all employees are trained in a timely and regular manner – including new employees. Additionally, colleagues on vacation, sick leave, or on parental leave should not be forgotten. In such cases, the training must be conducted upon their return – a requirement that is challenging to implement in large organizations without eLearning, as it would demand significant resources.

Accountability

The organization is fundamentally accountable in an abstract and individual manner to make sure mandatory training takes place. This means that, upon request from the relevant supervisory authorities (e.g., data protection authority or labor inspection), the organization must provide evidence of the general training process. This is best achieved through a written training concept. Furthermore, the participation of each individual on each course must be proven. This can be accomplished, for example, by maintaining training lists or providing participation certificates.

Planning processes

In the course of organizing mandatory training, a series of additional questions arise apart from creating the training concept. For example:

• Who is responsible for inviting participants?
• How are employees who do not attend despite instructions dealt with?
• Who oversees monitoring?
• How are new and departing employees are catered to?
• Where are training records are kept?

It may also be necessary to establish a binding policy within the organization that mandates employees to actually participate in the mandatory training sessions rolled out. In practice, this involves a lot of detailed work.

Our eLearning platform and content

Although the above may sound like a lot of work, it can be significantly reduced through smart solutions. For several years, we have been working with many colleagues to create eLearning courses for mandatory training. The content creation team has grown to four people who work daily on new content. We place great emphasis on presenting what is often perceived as dry material in a way that makes the training enjoyable. An overview of our courses can be found on this page.

In addition, we now work with a team of developers and product managers on smart solutions to not only support you with the complex requirements of data protection, information security, and compliance but also to make the organization of mandatory training as simple as possible. For this purpose, we have created our own training platform called DSN port.

Mandatory training in detail – Creating participants

Once you have created the training concept for your organization and are ready to practically implement eLearnings, the first question is how to reach all employees. Specifically, all employees who should be trained must be registered in the learning platform.

DSN port offers several options for this:

• Participants can be manually added individually,
• Even easier is the importing of participants from existing systems, such as the HR system,
• It is also possible to synchronize all employees directly through an interface to the organization's directory service (e.g., Active Directory).

In this case, the employee names and their official email addresses (if such exist) should be added. In addition, further distinguishing features can be captured through a simple tagging system. For example, it is possible to record the locations of employees, their area of responsibility and other criteria relevant to the deployment of training content. Ideally, all employees are always entered in the system, and changes are also reflected.

Setting up and assigning mandatory training content

The next step is to set up the training in the system. Let's take the example of basic courses on occupational safety, data protection, and information security. In our example the training needs to be repeated annually. Since these are general courses that should be rolled out to all employees, no distinction needs to be made between locations, departments, etc. The training is intended for "all." In this example, we do not need additional keywords for differentiation.

Starting the mandatory training

After a few additional settings (e.g., setting a frequency reminder), the mandatory training can be started. All employees stored in the system will now receive an invitation by email for their individual training. This can be completed simply by clicking on a link contained in the email sent by the system. It opens in the browser, and is thus accessible on almost any device. The mandatory training runs indefinitely. This means that new employees also receive an email invitation to their mandatory trainings directly upon inclusion in the system and this is repeated annually at individually necessary times.

By creating mandatory training and automatically delivering it, you can ensure that all employees always receive an invitation to participate in mandatory training. If the processes related to new and departing employees are well thought out, the person responsible for training management could lean back and let the learning platform do its job, focusing, for example, on planning the next on-site awareness campaign.

Unfortunately, for employees without their own email address, it is not quite as automatic – but it is still smart. For employees without an email address, it is possible to generate QR codes and links and print them as a mail merge. The printed out invitations are then distributed to employees who can then complete the training with private smartphones or other browser-enabled devices.

Accountability and latecomers

Once the learning platform is configured, it runs automatically after the initial setup. As a person responsible for training administration, there is hardly anything else to do. Statistics show the current status of the respective trainings. However, if employees ignore all invitations and reminder emails sent by the system, action must be taken. In this case, it is possible to display the corresponding participants.

For employees who do not work for an extended period (e.g., because they are on parental leave or taking a sabbatical), the roll-out of trainings can be paused.

The goal is to establish an ongoing training platform that continuously: delivers mandatory training content at the appropriate intervals, creates training certificates for mandatory training courses ensures long-term legal certainty and a significant reduction in organizational effort related to mandatory training courses.

Have we sparked your interest?
Feel free to approach us on these topics. We are happy to assist you with:

• Conducting a survey of mandatory training,
• Creating a written training concept and other guidelines,
• Selecting and licensing suitable course content from our portfolio,
• Setting up and licensing our learning platform,
• Integrating third-party content, creating individual courses, or importing existing PowerPoint courses.

Feel free to contact us with any other questions – for example, about our course content beyond the mandatory program – at any time.