Training for Employees
- Get started in just 5 minutes.
- Stay compliant with GDPR, NIS2, AI Act and ISO27001.
- The easy way to get top-level awareness trainings.
- As required by:
- GDPR
- ISO27001
- NIS2
GDPR Awareness Trainings
Quick Facts on the GDPR
GDPR is the most extensive business regulation to come out of the EU in many years.
Businesses must learn how to handle the GDPR efficiently and competently to secure compliance without compromising day-to-day business activities.
Personal data is any data that can identify a person.
Examples:
- An email can be used to identify a person.
- A telephone number can be used to identify a person.
- An address can be used to identify a person.
- An IP address can be used to identify a person.
- The national ID number can be used to identify a person.
- The passport number can be used to identify a person.
- A credit card number can be used to identify a person.
Data that adds to what we know about a person is personal data.
- Hobbies
- Interests
- Consumption
- Behavioral patterns
- Accent
- Physical characteristics
Most data processed by companies could be considered personal data.
The GDPR applies to all companies, organisations, and institutions in the EU.
The GDPR also applies to any company, organisation or institution which offers goods or services to any person in the EU. This applies whether payment is involved or not.
Example
Any webshop or service selling to the EU market, whether this business is based in the US or Australia will need to comply with the GDPR.
The GDPR applies to the processing of personal data by controllers not established in the EU if they process personal data of data subjects based in the EU.
The GDPR requires every data controller to follow the principles stated in article 5 of the GDPR.
Lawfulness, fairness, and transparency
You shall process personal data lawfully, fairly and so that the processing is transparent to the data subject.
Purpose limitation
You shall only collect personal data for specified, explicit, and legitimate purposes. You may not process these personal data in an incompatible way with the purposes.
Data minimisation
You shall only process personal data that are adequate, relevant and limited to what is necessary to the original purposes for the processing.
Accuracy
The processing of personal data shall be accurate and up to date. You shall make an effort to ensure that inaccurate data are erased or rectified.
Storage limitation
The processing of personal data shall be limited to the period for which it is necessary for the purposes of which the personal data were processed. Therefore, personal data should be deleted or anonymised when no longer needed for the original purpose.
Integrity and confidentiality
Personal data shall be processed securely to protect personal data against unauthorised or unlawful processing. It shall also be protected against accidental loss, destruction or damage by using appropriate technical or organisational measures.
Accountability
As a data controller, you shall be responsible for complying with these principles and be able to document this compliance.
A data controller is a business that determines the purposes and means of processing personal data.
This is an essential concept to understand as it determines your obligations concerning the GDPR.
A data processor is a business that processes personal data on behalf of the data controller.
This is an essential concept to understand as it determines your obligations concerning the GDPR.
A processor always needs to enter into a data processing agreement with the controller, according to article 28 in the GDPR.
When you collect personal data from the data subject(person), you must provide the person with information about why and how you will process this data. These requirements are written in articles 13-14 of the GDPR.
In practice, you could provide this information in a privacy policy that should be accessible to the person when collecting personal data.
Wow. That is a big question that is not quickly answered.
A primary requirement in the GDPR is to maintain a record of processing activities under your responsibility (article 30).
You will also need to provide this information to your data subjects in a privacy policy (article 13+14).
You will need to process data according to the principles of this regulation (article 5).
You will need to enter data processing agreements with all data processors you have contracted to process data on your behalf (article 28).
You will need to do risk assessments of your processing activities and, based on these, implement appropriate organisational and technical measures to ensure that personal data is treated securely.
These requirements are just some of the many requirements of the GDPR.
Security Awareness Trainings
Quick Facts on the NIS2
NIS2 is an EU directive that requires organisations classified as critical infrastructure to meet specific cybersecurity requirements.
NIS2 is the second version of the EU’s Network and Information Security directive. It’s a law that sets rules for how organisations in key sectors must protect their digital systems and data. It aims to improve cybersecurity across the EU by making sure ‘essential’ and ‘important’ services – like energy, transport, healthcare, banking, and digital services – take clear steps to prevent cyber incidents, detect them quickly, and recover from them effectively.
NIS2 applies to medium and large companies in ‘essential’ and ‘important’ sectors, basically what is characterized as critical infrastructure.
It also applies to some smaller organisations if they provide critical services or are part of the supply chain for the previously mentioned sectors. If your organisation is in energy, healthcare, digital infrastructure, water, banking, or many more similar sectors, you’re likely in scope.
Find all the sectors covered by the NIS2 in this article.
The minimum requirements of the NIS2 are the following:
- Policies on risk analysis and information system security.
- Incident handling procedures.
- Business continuity planning, including:
- Backup management
- Disaster recovery
- Crisis management
- Supply chain security, covering relationships with direct suppliers and service providers.
- Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure.
- Policies and procedures to assess the effectiveness of cybersecurity risk management.
- Basic cyber hygiene practices and regular cybersecurity training
- Policies and procedures for the use of cryptography and encryption.
- Human resources security, access control policies, and asset management.
- Use of secure authentication and communication tools, whenever it is appropriate, such as:
- Multi-factor or continuous authentication.
- Secured voice, video, and text communication.
- Secured emergency communication systems.
Risk Management Measures
All organisations must take a structured approach to cybersecurity risk. This includes identifying possible threats, protecting systems, detecting problems early, and being ready to respond and recover. These measures must include the minimum requirements just mentioned above, and cover technical and organisation security measures.
Leadership Accountability
Top management is held directly responsible for cybersecurity, and are made accountable by authorities for serious failures. They must approve security strategies, make sure the right measures are in place, and stay informed through regular training.
Incident Reporting
Organisations must report significant security incidents to the national cybersecurity authority (CSIRT).
NIS2 requires that all relevant staff, including leadership, receive regular and basic cybersecurity training (also called “cyber hygiene”).
For leadership, training is mandatory. Members of the management body must complete relevant courses on managing cybersecurity risks and are expected to promote training across the organisation.
There are no strict format or content rules, but training must match the leadership’s role in assessing risks and overseeing cybersecurity measures. The management team, as a whole, must have the skills to handle cybersecurity responsibilities under NIS2.
Relevant training can include general cybersecurity courses, management workshops, certifications in recognised standards, or internal training made for leadership.
All training activities must be documented, for example with a certificate or written proof of participation.
NIS2 requires that staff receive cybersecurity training that fits their role and responsibilities. All organisations must have a clear policy to ensure employees gain the right knowledge and skills to protect systems and handle digital threats.
Leadership plays a central role in this. They must actively encourage that staff are offered training similar to what management takes. This reinforces that building staff awareness and secure habits is a leadership responsibility.
Training should be practical and easy to apply, and it should cover topics like spotting phishing, handling data securely, using passwords correctly, and knowing what to do in case of an incident. It can be delivered through e-learning, workshops, or internal sessions.
The focus should be on creating a culture where learning and awareness are ongoing. All training activities should be planned, recorded, and followed up on to ensure they are effective.
Because even with strong technology, human error is still one of the biggest risks. Training helps staff spot threats early and act responsibly. For leadership, it’s about accountability. Training shows regulators that the company is serious about security and is taking real steps to reduce risks.
- Identify if the organisation is in scope.
- Appoint a person or team responsible for cybersecurity.
- Review current policies and procedures.
- Fill in any security gaps.
- Set up or improve incident reporting and response plans.
- Start regular cybersecurity training.
- Document everything to show compliance.
- Check with your national cybersecurity authority for local guidance.
NIS2 and GDPR are different EU laws, but they overlap, which means your work on one can support the other. Both require strong security for personal data and systems, and both demand a risk-based approach.
For example, in your GDPR compliance you have mapped personal data flows and the assets used for processing the data, which you can reuse to map the digital assets and processes for NIS2.
Similarly, your risk assessments for personal data protection also feed into cybersecurity risk assessments for delivery of critical services, and your incident response plan under GDPR can form the basis for the NIS2 requirement to detect, report, and respond to security incidents.
It is almost impossible to have GDPR compliance without staff being trained on data protection and information security, and therefore, it already covers security basics like access control and phishing awareness training. This can be expanded to meet NIS2 requirements with little extra effort. Policies around access controls, encryption, and secure communication channels also support both laws.
Your GDPR and NIS2 compliance efforts should definitely be aligned to avoid duplication and reduce cost.
Join the
Newsletter
Dip your toes in the topic of GDPR and data protection by signing up to our newsletter.
Have a look at our Privacy Policy.
