GDPR has required you to test whether your security measures work since 2018. Can you show it?
Article 32 asks for a process that regularly tests, assesses, and evaluates the effectiveness of your security measures. Most organisations can produce it for their technology — and go quiet on their people.
The clause everyone implements halfway
GDPR Article 32 requires a process for regularly testing, assessing, and evaluating the effectiveness of your technical and organisational measures. Vulnerability scans and penetration tests cover the technical side. The organisational side — whether your people actually handle personal data securely — is where the evidence usually runs out. A training log isn't an effectiveness test.
Turn "we told them to" into "here's the proof"
Praxis Navigator measures how your people handle data-security behaviours in practice, from your own Microsoft 365 signal, and tracks whether it's improving. That's the regularly-tested, evaluated effectiveness Article 32 asks for — applied to the organisational measures most teams can only describe on paper.
Evidence, on a cadence
Article 32 says regularly, not once. Rolling baselines give you a continuous record of effectiveness rather than an annual snapshot — so the evidence is ready whenever it's asked for.
The plan
Connect — Connect Microsoft 365 in 15 minutes.
See — See how your people handle security in practice, with history from day one.
Prove — Evidence that your organisational measures are effective, and staying that way.
Peer-reviewed field research
29–55%
of the variation in phishing susceptibility is attributable to organizational-level factors, not individual ones.
Measured across 83,269 employees in 510 organizations, using their real responses to phishing campaigns.
Petrič, G., & Roer, K. (2022). The impact of formal and informal organizational norms on susceptibility to phishing. Telematics and Informatics, 67, 101766. Licensed under CC BY 4.0.
Industry forecast
Gartner expects that by 2030, the major cybersecurity control frameworks will judge human risk by measurable behaviour change rather than training completion.
Gartner, cybersecurity trend guidance.
GDPR Article 32 requires a process for regularly testing, assessing and evaluating the effectiveness of your security measures. Applies to any organization processing personal data.