General Data Protection Regulation (GDPR)

ATTACK Simulator's Professional Services

To ease things for you, we dedicate this page to address the most common questions about GDPR. We hope to give you a clear insight into how GDPR affects your business in a concise and timely manner.

Get Started

What about GDPR?

ATTACK Simulator complies with GDPR and supports with great commitment the efforts towards transparent data processing. We acknowledge the importance of data security and unify our efforts in making sure employees operating with data comply with the standards of GDPR.

How does GDPR concern me?

Personal data includes any data that leads to the identification of an individual, either directly or indirectly. This includes name, email address, ethnicity, gender, age, location, biometric data, web cookies, IP address, etc.

What is GDPR?

Effective since May 25, 2018, GDPR is a strict privacy law implemented by the European Union (EU) replacing the outdated data protection directive from 1995. Although part of the EU legislation, GDPR applies to all organizations dealing with European data subjects, regardless of their geolocation, impacting businesses worldwide. In short, GDPR addresses the lawful, transparent, and fair data processing of EU subjects.

Why is GDPR needed?

The implementation of GDPR was urged by the usage increase of devices that collect data. It reinforces individuals’ privacy rights by ensuring the companies processing the data have a clear intent regarding it and communicate it accordingly.

GDPR Violation Consequences

Law violation can lead to harsh fines reaching up to 20 million euros or 4% of the global annual revenue, whichever is higher. Note that data subjects could seek compensation for damages as well.

What is “personal data”?

Personal data includes any data that leads to the identification of an individual, either directly or indirectly. This includes name, email address, ethnicity, gender, age, location, biometric data, web cookies, IP address, etc.

What is “data processing”?

Data processing encompasses any action performed on data, either automated or manual. It includes collecting, recording, organizing, structuring, storing, altering, using, or erasing.

Conditions for data collection

GDPR states that data collection should occur only under clarified and legitimate purpose and must be relevant to that intended purpose. Organizations must communicate the purpose of using accessible language.

What happens with the data?

Data that you collect from your users can be held by a:

Controller

the entity that determines the purpose of processing personal data.

Processor

the entity that processes data on behalf of the controller.

Recipient

the entity to which personal data are disclosed (could be a third party, but not necessarily).

Right to erasure

Organizations should know that data subjects can request to have their data erased without undue delay under certain circumstances.

Data Security and Data Breach Notification

Organizations are required to install appropriate technical measures for securing data. However, if there is a data breach, controllers shall notify the supervising authorities who are responsible with surveilling the application of the regulation. This shall be done without undue delay in a time span of maximum 72 hours.

Indicated technical measures to avoid data breach

– staff training about data policy;
– limiting access to designated employees;
– using end-to-end encryption for cloud services and two-factor authentication on personal accounts.

How do I get GDPR certified?

There is no official GDPR certification. However, you should be able to demonstrate to auditors that your organisation is GDPR compliant. This demonstrable compliance shows that you are committed to data protection and gives you a competitive advantage.

Becoming compliant with GDPR involves several steps, among which making an inventory of all the devices that are connected to your network, identifying third party processors, appointing a data protection officer, knowing when and where in your clients’ journey their data is accessed, identifying the responsible authorities in your country (to whom you should report in case of data breach), and training your employees. The last step is where ATTACK Simulator comes into play, helping you become GDPR compliant through security awareness training for your employees.

There’s no reason to postpone training your employees

Get a quote now based on your organization’s needs and start building a strong cyber security infrastructure.