Is security awareness training mandatory under the GDPR?

The GDPR requires appropriate technical and organisational measures. Employee training is an organisational measure. While the law doesn't prescribe a specific programme, supervisory authorities expect it. After a breach caused by employee ignorance, the authority will ask whether training was provided.

How often should I train my employees?

At least annually, and with every significant change in processes or systems. Short, frequent reminders (a monthly tip or quarterly phishing simulation) are more effective than a two-hour annual presentation.

What is a no-blame culture for data breaches?

A culture where employees dare to report incidents without fear of punishment. If an employee clicks a phishing link and only reports it after three days out of fear, you lose valuable time. Quick reporting limits the damage.

Are simulated phishing tests allowed?

Yes, as long as the purpose is training, not punishment. Inform employees that periodic simulations take place. Use results for targeted training, not performance reviews.

Human Factor in Data Breaches - GDPR Awareness for SMEs

80 to 90 percent of all data breaches have a human cause. This article discusses the most common scenarios, from phishing to misdirected emails, and gives practical tips to make your team more resilient.

The problem isn’t in the technology

You can have the best firewall, the strongest encryption, and the most expensive security software. But if an employee clicks a phishing link, sends an email to the wrong person, or leaves their laptop on the train, none of that helps.

The numbers don’t lie: 80 to 90 percent of all data breaches start with human action. Not brilliant hackers, but ordinary mistakes by ordinary people on a busy workday.

The GDPR expects you to address this. Article 32 requires not only technical measures but also organisational ones. And training your employees is an essential part of that.

The five most common scenarios

1. Phishing

An employee receives an email that looks like it’s from a colleague, customer, or supplier. The email contains a link to a fake login page or an attachment with malware. One click and the attacker has access to login credentials or your network.

Phishing is becoming increasingly sophisticated. With AI tools, attackers can create convincing, personalised messages in perfect language. The days of bad grammar and Nigerian princes are over.

2. Wrong recipient

One of the most common breaches for SMEs: an email with personal data sent to the wrong person. Your email program’s autocomplete fills in the wrong address, or you send a CC instead of BCC to a group of customers.

Simple, everyday, and yet a full data breach.

3. Lost or stolen devices

A laptop left on the train. A phone falling from a jacket pocket on a terrace. A USB stick that goes missing at a client’s office. If the device contains unencrypted personal data, you have a data breach.

4. Weak passwords and password reuse

“Welcome123” on the CRM. The same password for business email and personal Netflix account. No two-factor authentication enabled. These are human choices that open the door for attackers.

A phone call from “the IT department” asking for login credentials. A message from “the director” asking to make a quick payment. Social engineering plays on trust, authority, and time pressure. Untrained employees are more likely to fall for it.

What can you do?

Awareness training

Train your employees regularly, but keep it practical and short. Nobody wants a two-hour PowerPoint about information security policy.

Effective approaches:

Short monthly tips via email or an internal channel
Concrete examples from your own industry, not abstract threat scenarios
Interactive sessions where employees learn to recognise phishing emails
Onboarding module for new employees

Simulated phishing

Periodically send fake phishing emails to your employees. Not to catch them, but to train them. Those who click get immediate brief explanation about what the signals were. This is one of the most effective ways to increase awareness.

Clear procedures

Ensure employees know what to do when something goes wrong:

Who do you report a suspicious email to?
What do you do if you clicked a wrong link?
How do you report a lost device?
What if you accidentally sent an email to the wrong person?

Make these procedures simple and accessible. A one-page quick guide that everyone knows is more effective than a 50-page security handbook nobody reads.

No-blame culture

This is perhaps the most important point. If employees fear punishment, they don’t report incidents or report them too late. And with data breaches, every minute counts.

Create a culture where mistakes may be reported without consequences. An employee who reports within five minutes that they clicked a phishing link gives you the chance to act quickly. An employee who hides it for three days out of fear makes the damage many times greater.

The cost of doing nothing

A breach notification to the authority. A fine. Loss of customer trust. Costs for recovery and investigation. A single moment of inattention can cost thousands of euros.

An awareness training costs a fraction of that. Invest in your people, because they are both your biggest risk and your best defence.

auto_awesome Get your team on board with GDPR?

GDPRWise makes GDPR compliance concrete and understandable for your entire team. From awareness to documentation, step by step.

Start your free scan

The Human Factor: Why Most Data Breaches Start with Your Employees