eLearning in the Corporate Setting

In a corporation, a "dominant" company and often several dependent companies form an economic entity. Over time, complex organisational structures with a multitude of employees often emerge. This complexity poses challenges for those responsible, especially regarding (mandatory) training for employees.

In this article, we delve into eLearning courses as a training method and the platforms used for them, providing tips on what corporations and corporate groups should consider when introducing an eLearning system.

eLearning as a Training Method: Isn't it Simple?

Compared to seminars and webinars, eLearning courses offer several advantages and are increasingly popular as a training method. In eLearnings, topics can be conveyed compactly, and newly acquired knowledge can be directly assessed. Employees do not complete the courses at a fixed time in a group but rather whenever it fits into their schedule.

eLearnings can be used for both mandatory training and instructions, as well as training for specific groups of employees within the company or courses for further education. Sensitisation, for example, on the topic of cybersecurity, or brief refreshers (What to do in case of a data breach?) can also be quickly disseminated to a large number of employees through eLearning courses.

However, the more people to be trained, the more capabilities the systems behind it must have. Furthermore, a particularity must be noted for corporations regarding data protection: there is no corporate privilege for data protection! This means that each (subsidiary) company is considered individually for data protection purposes, and therefore, a clever solution must be found.

Most eLearning systems nowadays are operated as Software as a Service by service providers. Even with on-premise operation, i.e., in their own data centers, companies often cannot avoid using service providers. Let's consider the case where an eLearning system is offered as Software as a Service, i.e., as an internet platform.

eLearning + Software as a Service + Corporation = What to Consider!

Four aspects should be considered by corporations or those responsible for conducting training when selecting the right provider for an eLearning system:

1. Conclude a Data Processing Agreement

The provider of an eLearning platform inevitably comes into contact with the personal data of the company that wants to conduct eLearnings. This is because to carry out an eLearning and ensure participation and proof, the following personal data of employees are usually processed:

• Name
• Email address (if available)
• Possibly function in the company
• Characteristics necessary for the formation of specific training groups (e.g., first aiders, managers, deployment location, possibly pre-qualifications, function, etc.)
• Participation status in training (e.g., not started, started, successfully completed)
• Certificates of participation in completed eLearnings

Companies using an eLearning system, therefore, need a Data Processing Agreement with the software provider. Most providers have their own contract templates that must be reviewed and comply with all requirements of Article 28 of the General Data Protection Regulation (GDPR). The contract should also be as balanced as possible.

Who is actually the contracting party in corporations? Due to the lack of corporate privilege, there is often a question of who exactly becomes the contracting party in contracts for data processing. Several alternatives are conceivable for corporations and corporate groups:

• It is possible for all companies to conclude their own contract with the software provider. In practice, however, this is often very cumbersome, as many people are involved at the end of the day, and many contracts are on the table.
• It becomes easier if there is a central point in the corporation that takes care of such matters for everyone. In most cases, the individual companies of the corporation have concluded an internal corporate contract for data processing with this central office. The internal corporate entity would then be a data processor with the task of providing specific services to the individual companies. If providing an eLearning system is part of this, the software provider would conclude a data processing agreement with the central entity and would henceforth be a subcontractor to the participating companies. The chain would look like this: The individual company of the corporation would be the client of a data processing to the central entity of the corporation. This entity would then commission the provider of the eLearning platform as a subcontractor.
• Occasionally, joint responsibility may also apply in corporations, but this is more difficult in practice due to the lack of corporate privilege.

2. Data Transfer to Third Countries

Since data is transferred to the service provider, it is necessary to check where the service provider is actually located and from where the servers are operated. If the platform provider is located outside the EU in a so-called third country, the client (i.e., the corporation) must check whether there is an adequate level of data protection. This applies even if the platform operator uses subcontractors who process the data in a third country. Whether this is the case is usually apparent from the data processing agreements, which must name all subcontractors. If data transfers to non-EU countries are an issue, it must be checked whether:

• There is an adequacy decision by the EU (but this is only the case for a few countries),
• The EU Standard Contractual Clauses are sufficient to establish an adequate level of data protection, or
• Beyond this, a so-called Transfer Impact Assessment (TIA) must be carried out, and further technical and organisational measures must be adhered to.
• For some time, the EU-US Data Privacy Framework has also been relevant for providers from the USA. For companies registered here, an adequate level of data protection can generally be assumed, with the registration explicitly also applying to "HR" data.

Whoever reads these lines quickly realises that the selection of the platform and the service provider should also involve the company's own data protection officer.

3. The Platform Must Be Secure

If the contractual aspects are in order, the next step in selecting eLearning platform providers is to focus on the provider's security. The contracts for data processing should contain a presentation of the technical and organisational measures. However, these are often very general and often do not provide information about real threats. Since an eLearning platform operated as Software as a Service is a web application, it is exposed to particular risks. Therefore, the following security features are mandatory:

Two-factor authentication for backend users
You should consider these dangers when the eLearning platform is accessible via the internet: What happens if a user loses their password or, against all instructions, uses the same password multiple times on the internet and becomes a victim of a phishing or social engineering attack? A particularly high level of damage would occur in such a case if it involves a person with extended rights (e.g., the training responsible person) who has access to all data of the employees stored in the system. From our point of view, it should therefore be ensured that two-factor authentication or the establishment of an IP address range lock is offered for such user groups.

Interface security
Especially in large companies and corporate groups, it is hardly possible to individually enter the employees to be trained, and even uploading via a list is often very time-consuming. Therefore, corporations and corporate groups often cannot avoid platforms that also offer integration via interfaces. Meaningful here are certainly options for synchronisation with personnel tools or with the Identity Provider (Active Directory). The System for Cross-Domain Identity Management (SCIM) can be mentioned as the quasi-standard here, as common identity providers like Microsoft's Entra ID and Okta can be connected via it.
Here too, security issues come into play, and terms like Single-Sign-On (via Open ID Connect or SAML) are important factors, as password policies and multi-factor authentication remain in the hands of the company.

Penetration Testing
When it comes to application security, additional aspects become relevant, such as password complexity, processes for "forgot password," protection against brute force attacks, the use of strong transport encryption, the implementation of proper session management, protection against cross-site scripting through data validation, storing passwords not in plain text but hashed and salted, and ensuring proper entropy when using login links. The topics are sometimes so complex that it would be good to choose service providers who conduct penetration tests at regular intervals and are familiar with these issues.

Certified Data Centers
The security of data centers is also an important factor in selecting the right platform. In practice, certificates provide guidance when comparing providers. It is important that the data centers used have a current ISO 27001 certification or a comparable certification.

Authorisation Concept within the Corporation
You have probably heard of the "need-to-know" principle in data protection. And this naturally also applies to the training of employees. Only the people in the corporate group who actually need this information should have access to the data. Or, in other words, not everyone should be able to see everything. If there are no regulations for central training management in the corporation, permissions must be set at the company level. Then, a responsible person may, for example, check whether all participants from their own company have completed the training within the specified time. However, employees of sister or subsidiary companies should generally not have access. Therefore, it must be carefully examined beforehand whether the platform meets the corporation's specific requirements regarding the authorisation concept.
In addition to the aforementioned data protection officer, the decision for or against a particular eLearning platform should also involve the information security officer or IT security officer.

4. Legality Check

The use of the eLearning platform must, of course, also be lawful. What sounds obvious can sometimes be quite difficult in practice because pitfalls sometimes lurk in unexpected places.

No "Race Lists" Without Consent
Many employees must and want to participate in eLearnings. However, not everyone wants to be compared to others. "Faster," "more," and "particularly good" – or not – are not the attributes everyone wants to read when compared to others. And sometimes there are "leaderboards" on eLearning platforms that may already be pre-set and not deselectable. From a data protection perspective, this can quickly become difficult, and even a works council, which must be involved, may see this "feature" as a hurdle. From our point of view, an important success factor in eLearning is also not being considered here: everyone learns at their own pace and can review the course if necessary. Because what matters is that the content is understood and the knowledge can be applied, not who finishes the course first or has completed the most courses.

Be Cautious with Google Analytics & Co. on Login Pages
If a Software as a Service is used, the employees are on the provider's platform and must log in there to use the platform. Again and again, you find providers who greet users with excessive "cookie banners" to obtain consent for the platform's own tracking. From the perspective of the company that introduces its employees to such a platform, it is important that the platform can be used with as little data as possible. Tracking and often opaque cookie banners are not only a bad user experience but may also be attributed to the company that uses the platform. Therefore, when selecting a service provider, it should also be carefully examined how the provider handles data protection.

Artificial Intelligence
The topic of Artificial Intelligence (AI) is currently hard to underestimate. Some eLearning platforms promise to create profiles of employees using AI-based algorithms to improve learning suggestions and promote employee development. Apart from the question of whether this is really useful, the use of such AI features quickly raises questions about their (data protection) permissibility. The use of such "features" may even require the company to conduct a Data Protection Impact Assessment (DPIA) according to Article 35 of the GDPR.

Conclusion

The selection of the right eLearning platform is a big issue not only but especially for corporate groups and corporations. In addition to the range of functions and usability, data protection issues and information security also play a significant role.

If you are wondering whether and how our learning platform meets all the points mentioned above, feel free to call us! Behind DSN Train stands not only a team of dedicated developers but also lawyers who are well-versed in data protection issues when using training platforms and numerous security experts and penetration testers who not only contribute to training but also scrutinise our platform.