What is GDPR?
General Data Protection Regulation (GDPR) is a European Union (EU) law on data protection and privacy. It is designed to give control to individuals over how and when their personal data is used. There are two key aspects that govern data and its use: those that control the data, and those that are the processors of the data.
One of the big things with GDPR is how broad they consider "personal data." It's not just government ID numbers, addresses etc. It's also things like political opinions and social media posts. Businesses and organizations must adhere to strict regulations over how the data can be collected and how it can be used. Individuals are also allowed the right to revoke consent at any time.
There are eight rights laid out by GDPR.
These range from allowing people to have easier access to the data companies hold about them and for it to also be deleted in some scenarios.
The full GDPR rights for individuals are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The rights around automated decision making and profiling
Why It Is Important
Data is the new oil - meaning that data is incredibly valuable and sought after. Organizations want more data so they can more effectively market their products. Criminals want more data because they can sell it or use it in other ways too monetize their efforts.
GDPR is built on two core principles.
- First, it aims to minimize what data can be collected, how long it can be stored, who has access to it, how it can be shared, and how much control the individual has over their data.
- Second, it aims to levy significant penalties to organizations that violate these rules directly, or indirectly via a breach
GDPR regulations, while specific to the EU, have far-reaching implications for organizations that conduct operations within the EU and with its citizens. Organizations around the world must adhere to these regulations or choose to not operate in a way that would expose them to these regulations. Most enterprises are global in scope, so they must take care to secure personal data according to these regulations or face significant fines.
Common Challenges With GDPR Compliance-based Training
Cybersecurity has reached a point where the odds are higher than ever that an organization already has or soon will be breached. The purpose of regulations like GDPR is not solely to punish mistakes but to provide guidelines and best practices that help organizations limit the likelihood and impact of a breach. Another important aspect of GDPR is timely reporting of a data breach. Organizations have 72 hours to notify people after a breach or they face those penalties. GDPR helps mitigate breach impact to consumers because companies shared data by default, and instead stipulates that companies must provide privacy by default and consumers must approve whether and what amount and type of data can be shared.
GDPR, under article 37, requires data protection training to personnel who have access to personal data. The GDPR requirements are however vague in prescribing exactly what that data protection training must include. It is recommended that employees not focus on specific laws or even GDPR regulations unless their role specifically requires it, but to instead focus on training all employees to understand what constitutes personal data and how they should handle it.
This is where personally identifiable information (PII) comes into play. Since GDPR penalties have proven to be significant, it is critical for companies to secure personal data, and limit exposure of that data, through a breach or poor data management practices that could otherwise leave a company vulnerable to significant fines.
When the aim is to complete training to satisfy compliance requirements, security awareness training becomes the goal - when in reality, better user recognition and user response to threats is what is needed.
Despite our best efforts and plenty of budget dedicated to prevent breaches (the average enterprise has over 75 different security products), 90% of breaches are due to human error. It is no longer sufficient for an enterprise to throw technology at the problem yet leave their employees unprepared for today’s threats with legacy training modules and methodologies that have proven to be ineffective in changing behavior.
What Does Good Look Like
Living Security is built on an entirely different premise - that people are you greatest asset. Our solution measures strengths and weaknesses for employees, identifies potential gaps, then delivers timely, engaging individual and team-based training that creates proven, lasting change. If your organization has ever struggled with challenges like: everyone has completed phishing training, but hundreds of employees still click on our phishing simulations over and over, you need a better solution.
A top five global telecommunications company ran an internal test and found that “end users who went through the LS Escape Rooms were 45% less likely to click on a phishing simulation vs. all others”.
The Escape Room is one example of a team training that explores phishing, personally identifiable information, and other security concepts through team puzzle solving. Paired with an engaging storyline based on real life scenarios, the experience delivers a more impactful learning experience.
The goal of security awareness compliance shouldn’t just be to check the box that employees have completed training, it should be to prevent breaches and minimize risk and exposure due to human error.
What Makes Living Security Better
Companies must train their employees on the policies, regulations, and security best practices and what GDPR compliance means to the company and what employees must do to maintain and support that compliance. Company trust is a major factor, it’s more than just trust with customers, it’s making sure that employees all know what responsibility they hold to help support that initiative.
Living Security’s training is engaging, impactful, and delivers a 16x increase in retention that helps you create proven, lasting change - and turns employees into your strongest cybersecurity asset.
Living Security makes it easy to meet GDPR and PII compliance with training modules, that include, but are not limited to:
- GDPR-specific content
- PII-specific content
- Passwords (maintaining strong passwords, use of a password manager)
- Phishing (and other forms, vishing, smishing)
- Physical security (device security, document access and disposal)
- How to report an incident
- Removable devices/USBs
- Mobile devices
- Social media usage and risks of oversharing
- … many, many more
Our modules range from quick-hit 1-3 minute training per topic to full CyberEscape room series that cover multiple topics all-in-one. Your compliance checklist can easily support several complex topics in under 15 minutes.
Meet Your Compliance Requirements
Learn more about how Living Security can help you meet your compliance requirements, and actually help your employees make better cybersecurity decisions.