Make the P in GDPR all about People

Statistics about how prepared organisations are for the GDPR seem to be rarely, if ever, positive. For example, recent research from Veritas has found that around half of businesses globally don’t feel they’ll be able to meet the GDPR’s requirements; a third fear that they lack the right technology to comply; and nearly two out of ten are worried that non-compliance could ultimately even put their organisation out of business. These are troubling statistics indeed when considering that the fine for non-compliance is €20,000 or 4% of a company’s annual turnover – whichever is greater. And, it’s not just Europeans that should be worried. Most global businesses will be affected if they have bases in Europe, customers in Europe or plan to deal with Europe in the future. Simply put, with accountability being a huge emphasis within GDPR, everyone within an organisation must take this new regulation seriously.

Many companies are stumped as to how to prepare, and one aspect that they need to remember, which may not seem obvious at first, is raising end-user awareness. Yes, this is a personal data privacy regulation – but security is what drives compliance, and everyone who handles the personal data of those residing in the EU must do so in a secure manner. Companies will be more able to avoid regulatory fines and preventable breaches if they can improve employee understanding of these sweeping new privacy laws, and data protection generally. It’s not sufficient to simply tell employees what to do and what not to do. Comprehensive and consistent training can empower them with the knowledge and skills they need to make better and more informed decisions about data protection – thereby turning users from an organisation’s weakest link into their strongest asset.

Who’s Ready for GDPR?

The standards built into GDPR are informed by concerns for the protection of personal data privacy, but they are not aligned with the way organisations work today. Privacy has been a big focus for the European Union since the original data privacy provisions were discussed as early as 1995. GDPR builds on that tradition and, ultimately, structures it by codifying standards, establishing compliance mechanisms, and articulating a compelling penalty regime. What the GDPR lacks is an acknowledgement or understanding of how organisations work, especially within a global framework. In a vacuum, GDPR is smart policy for personal data protection. In the real mix of daily national and international business data sharing, it raises the bar for compliance in what will be considered a very impractical way.

My sense is that large European enterprises do understand the ramifications of GDPR. On the other hand, I believe that smaller organisations likely haven’t given GDPR much of a thought as yet. Overall, many organisations are struggling with the impact that the regulation has on the way they work, share data, and think about compliance.

Make users the last line of defence

It’s the exceptions that will make the rule when GDPR compliance is assessed “in real life”. Any breach, any identified anomaly, or any report of mismanaged Personally Identifiable Information (PII) will be penalised. There is no doubt about that. Thus, organisations need to focus on the activities they can change and improve on by the time GDPR comes into play. A key element of any GDPR preparation strategy is a programme that raises awareness within the organisation: about the necessity for GDPR compliance, organisational expectations on the management of PII, and internal standards that align with the new regulation. It’s also incredibly important to actually teach users the requirements for proper data handling and sharing, safe email use, safe USB drive use, safe web use, and anything else that will help protect data within the organisation against compromise. Awareness programmes are cost effective, relatively easy to adopt and deploy, and – most importantly – they can tightly steer organisations, via their end users, to compliance with GDPR. These programs can be an indispensable component of an organisation’s proactive compliance strategy.

Everyone is saying it, but organisations in Europe – and the UK – need to be applying as much focus and attention on GDPR compliance as they can. They must do this by moving towards policy and behaviours that fit in with the GDPR, and awareness training for end users can be a great first step on the road to compliance.


By Alan Levine, Security Advisor to Wombat Security

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.