GDPR has required you to test whether your security measures work since 2018. Can you show it?

Article 32 asks for a process that regularly tests, assesses, and evaluates the effectiveness of your security measures. Most organisations can produce it for their technology — and go quiet on their people.

The clause everyone implements halfway

GDPR Article 32 requires a process for regularly testing, assessing, and evaluating the effectiveness of your technical and organisational measures. Vulnerability scans and penetration tests cover the technical side. The organisational side — whether your people actually handle personal data securely — is where the evidence usually runs out. A training log isn't an effectiveness test.

Turn "we told them to" into "here's the proof"

Praxis Navigator measures how your people handle data-security behaviours in practice, from your own Microsoft 365 signal, and tracks whether it's improving. That's the regularly-tested, evaluated effectiveness Article 32 asks for — applied to the organisational measures most teams can only describe on paper.

Evidence, on a cadence

Article 32 says regularly, not once. Rolling baselines give you a continuous record of effectiveness rather than an annual snapshot — so the evidence is ready whenever it's asked for.

The plan

1

Connect — Connect Microsoft 365 in 15 minutes.

2

See — See how your people handle security in practice, with history from day one.

3

Prove — Evidence that your organisational measures are effective, and staying that way.

Peer-reviewed field research

29–55%

of the variation in phishing susceptibility is attributable to organizational-level factors, not individual ones.

Measured across 83,269 employees in 510 organizations, using their real responses to phishing campaigns.

Petrič, G., & Roer, K. (2022). The impact of formal and informal organizational norms on susceptibility to phishing. Telematics and Informatics, 67, 101766. Licensed under CC BY 4.0.

Industry forecast

Gartner expects that by 2030, the major cybersecurity control frameworks will judge human risk by measurable behaviour change rather than training completion.

Gartner, cybersecurity trend guidance.

GDPR Article 32 requires a process for regularly testing, assessing and evaluating the effectiveness of your security measures. Applies to any organization processing personal data.

Questions security leaders ask

What does GDPR Article 32 mean by testing the effectiveness of security measures?
Article 32 requires a process for regularly testing, assessing, and evaluating whether your technical and organisational measures actually work. For technical controls that means scans and penetration tests. For the organisational, human side it means measuring whether people handle data securely in practice — and showing it improving.
How do you prove security training effectiveness for compliance?
You measure the behaviour the training is meant to change, establish a baseline, and track it over time. Before-and-after behavioural evidence — more people using MFA, fewer risky actions, faster improvement after you intervene — is what demonstrates effectiveness. Praxis Navigator produces it from your own Microsoft 365 data.
What's the difference between activity metrics and behavioural evidence?
Activity metrics count what happened — courses completed, links clicked, emails sent. Behavioural evidence shows what changed — whether people actually handle security more safely than before. Regulations increasingly ask for the second. Only the second proves a measure is effective.