Awareness training for compliance
Awareness Training for compliance1200x600

Using Awareness Training for GDPR Compliance

gillian loones

The introduction of the GDPR in the EU has had many far-reaching consequences for small and large organisations alike. Many organisations are still uncertain about how to exactly implement the GDPR in their daily operations. Additionally, failing to comply with the GDPR can have grave consequences, ranging from heavy fines to serious security breaches. That’s why it’s important that everyone in the organisation knows how to deal with data on a day-to-day basis. In this blog, we’ll talk about how awareness training might prove useful for GDPR compliance.

The GDPR still causes a lot of confusion

The GDPR was introduced by the EU in May 2018 to better inform consumers about how their personal data is used and to enforce better data handling and protection in organisations.

As a result, the GPDR introduced many rules regarding the handling of personal data and the prevention of security breaches. These rules are enforced under threat of large monetary sanctions for non-compliant organisations.

Even though the GDPR has now been in effect for over 2 years, many people are still confused about how it affects them and their organisation. For instance, it can still be unclear what constitutes personal data, what actual good data handling practices are, or what the consequences of not complying with the GDPR can be.

This already requires a lot of effort to enforce the GDPR and to have IT experts to keep up with, so it is only normal that many members of the team are a bit lost on how to deal with the GDPR and personal data in their work.

Personal data includes a lot of things

Let us briefly illustrate how confusing personal data can be. Many people likely don’t quite know what personal data means – other than it is information about a person. It quickly gets complicated when you start asking questions like: Is your shoe size categorised as personal data? And what about your hair colour?


Personal data is a lot of things and it can be unclear what exactly is or is not considered personal data. Almost everyone in your company comes in touch with personal data every day however, so it is important that they understand what it is.

We’ll briefly define personal data here. You can read much more about it in some of our other blog posts

The GDPR defines personal data as:

“information that relates to an identified or identifiable individual”

In other words: If any piece of information is about a particular person or leads to a particular person, then it is considered personal data.

As you can see in the image, personal data includes a lot of things! Even shoe size and hair colour can be included. I’m sure you can think of many more examples that aren’t shown here.

It’s important to note that personal data doesn’t only include text. An audio recording, a photo, or a video with identifiable information is personal data as well.

Not all personal data is equal: regular vs. sensitive personal data

Unfortunately, the confusion does not end there. Personal data can further be divided into two categories, depending on how sensitive a piece of information is. It is important that your team can recognise sensitive personal data because stricter rules apply for handling it. This is due to that fact that a breach in such sensitive data could have more significant consequences for the people affected. It could for example lead to discrimination or threats of physical harm.

Regular personal data


These do not necessarily require permission to be handled, but you still need to be considerate and use common sense. 

Special categories of personal data


These are sensitive personal data, and any handling requires special attention – and often permission. 

poster persondata-ENG

A good way to remember how to properly handle personal data is to think of it as something you are borrowing from a friend, illustrated in the poster here. You can download this poster and others from here.

Now you know what personal data is. You also know that it is important to safely handle personal data. The key question of course is: does everyone else in the company also know that? And if they do, do they know how to go about it?

It is indeed very important that this knowledge rests not just in the IT department but that all staff in the organisation are aware of it and know how to act on it. However, as we mentioned earlier, it can be difficult for staff to keep up with data regulations on their own.

To illustrate the importance of this, let us look at what could happen when safe data handling practices are not well understood.

Most security breaches are due to human error, but they don’t have to be

A security breach generally means that some or all personal data that is handled in the organisation is, accidentally or maliciously, released outside the organisation.

When people think about security breaches, think about malicious, expert hackers attacking the organisation’s IT systems and stealing data. 

However, often security breaches happen due to human error. This problem has two sides. One side is people making mistakes or handling data trivially because they lack knowledge about the importance of safe data handling practices. For example:

On the other hand, people being unaware means that most hacking attacks try to exploit humans instead of IT systems. Thus, they are more likely to fall prey to social engineering attacks, such as phishing emails, that may lead to a data breach.

Of course, technical cybersecurity remains a vital part of keeping your organisation safe. Various technical tools can be used to reduce the risk of security incidents, like:


However, while technical tools certainly succeed at being very complex, they are not 100% effective at keeping out all threats. They are only half the battle and cannot improve:

These are things that only the staff themselves can fix and prevent. And luckily, all staff are easily capable of this, given the right tools and training.

Your strongest defence against security incidents is a comprehensive awareness among all staff combined with clear processes for handling data. Simply put: all staff need to clearly understand the what and how of GPDR and personal data.

Awareness training: turning your team into your strongest defence

Awareness training is one of the tools your organisation can use to greatly improve your team’s knowledge about cybersecurity and safe data handling. It’s also needed to be GDPR compliant:


As we described earlier in this blog post, personal data can be complicated. You cannot expect that all staff are experts in the GPDR. Therefore, an awareness training programme that regularly provides staff with clear, simple, and practical explanations and examples about how to safely handle personal data can be of great help in improving staff’ behaviours.

Furthermore, when people are aware of the dangers that cybercriminals pose, they are more likely to detect phishing attacks and less likely to make other errors, such as storing data incorrectly.

Next to awareness about cybersecurity and the importance of safe data handling, staff also need to be aware of the specific processes and responsibilities regarding information security in your organisation. Simply put, it is the task of the IT department and the management team to set up clear processes that staff can follow and to appoint people that can function as a central point of advice regarding everything relating to GDPR and information security.

The organisation needs to establish:

The staff need to be aware of:

Awareness training helps you achieve GDPR compliance and other cybersecurity certifications

GDPR compliance is top of mind for most organisations, and there are several frameworks that organisations use to help them maintain and document GDPR compliance. For example, some are industry-specific, and others are country-specific. Not all cybersecurity frameworks ensure GDPR compliance, but some of the frameworks’ requirements overlap with the GDPR and many frameworks require awareness training.

Below, you can see a few of the additional cybersecurity frameworks that organisations are using in their GDPR work and how awareness training fits into each of them.

Framework Description Awareness Training Requirement
ISO 27701
An extension of ISO 27001, which is an international standard for information security practices. ISO 27701 has additional requirements regarding personal data that ensure GDPR compliance
Clause 7.2.2 requires that all company workers and necessary contractors receive awareness education and training
A specific version of the ISAE 3000 that includes GDPR requirements for compliance. Depending on the amount of personal data your organisation processes, you would comply with either ISAE 3000 High (for high levels of personal data) or ISAE 3000 low (for low levels of personal data)
Requires the relevant training of personnel
CIS (Center for Internet Security Critical Security Controls)
Best practice guidelines for computer security with a list of actions organisations should take to prevent attacks
Control 14 requires a security awareness program to be created and maintained
ISO 27001 and 27002
International standard with best practice guidelines for information security management systems
Clause 7.2.2 requires that all company workers and necessary contractors receive awareness education and training
U.S. based framework with information security guidelines that organisations that do business with the U.S. federal government must comply with
To comply, an organisation’s managers, systems administrators, and systems users must be aware of security risks. Awareness training should cover how to recognize and report threats
Soon to replace NIST in the U.S. Used for entities doing business with the U.S. government
There are several levels for compliance. Level 2 and above, which indicates a minimum intermediate cyber hygiene, require awareness training
ISRS 4400
Similar to ISAE 3000, but the ISRS 4000 is based only on the criteria that the auditor is asked to verify
Requires the relevant training of personnel

Awareness training can be implemented in a variety of ways

Getting started with awareness training is easier than you might think. It all comes down to giving people knowledge about personal data and cybersecurity in a way that they can easily understand and remember it.

That’s why it’s a good idea to transfer this knowledge in multiple ways and through multiple channels, to really make awareness about cybersecurity present in everyone’s mind.

You could, for example, combine various forms of e-learning and classroom learning. E-learning to achieve a certain continuity and to encourage staff to learn at their own pace. Classroom learning to exchange ideas and put knowledge into practice. You can read more about how to optimally combine these two forms of learning here.

However, there are many more possibilities for organising a good awareness training programme. You can get pretty creative if you want to, for example with the use of gamification elements. Below we list some examples of different awareness training formats:

E-learning: Short online learning modules consisting of videos, text, quizzes, and more. 

Classroom learning: Longer sessions given by an instructor. This can encourage discussion or to invite an expert. 

Simulations: Phishing and other cybersecurity simulations give people the opportunity to practice their knowledge in realistic security incident situations. 

Workshops: For example, a workshop where staff can place themselves in the shoes of a cybercriminal and learn to understand how a cybercriminal thinks. 

Freely available online material: There are many learning sources and other materials available online for free. This ranges from YouTube videos to government campaigns to posters and diagrams you can hang up around the office. 

See for example this free material from ENISAthe European Union Agency for Cybersecurity or this free video series from NCSA, the United States National Cyber Security Alliance. 

Group activities & games: These can be in a variety formats, for example an escape room or a Cluedo-like scenario where the team must figure out how and by whom the company was infiltrated. 

Just know that there are many more possibilities of organising awareness training. You can choose the formats that best fit your organisation and needs, as long as you ensure that it adds value to your team. A good awareness training is one that staff do not see as a burden, but one they may even look forward to.

Successfully applying awareness training techniques results in staff that are intuitively aware of what they need to do in their own daily workflow to comply with the GDPR, while also improving the general cybersecurity in the organisation. In the end, staff who are aware might just turn out to be your strongest line of cyber defence! You can read more about measuring the effect of your awareness-training here.

Subscribe to our newsletter

Receive updates containing free templates, tools, and news from CyberPilot.

Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.


Contact us

You are always welcome to contact us
for an initial and informal chat about your cyber security challenges.