Insight: POINTER:a GDPR-compliant framework for human pentesting (for

About the Authors and This Research

This paper was co-authored by Jackie Archibald and K. Renaud, both affiliated with UK academic institutions. K. Renaud is a highly cited researcher in human-centered security and privacy, with an h-index of 34 and over 5,253 cumulative citations, making her one of the most influential voices on human factors in cybersecurity. Jackie Archibald brings a practitioner-oriented perspective, focusing on the gap between security frameworks designed for large enterprises and the operational realities faced by SMEs.

Published in 2018 at the precise moment GDPR came into force, this paper identified a paradox that remains largely unresolved in Taiwanese corporate practice: organizations invest in employee phishing simulations to strengthen security culture, yet the testing methodology itself—particularly spear phishing—may involve the collection and use of employee personal data in ways that trigger GDPR obligations. The authors subjected the PoinTER framework to expert review, signaling its readiness for real-world deployment.

Core Findings: The Three-Layer Compliance Problem in Human Pentesting

The research identifies three interconnected problems that the PoinTER framework is designed to solve, each with direct implications for ISO 27701 implementation and Taiwan Personal Data Protection Act compliance.

Finding 1: Existing Frameworks Are Not SME-Ready

A systematic review of existing human pentesting frameworks revealed that the dominant methodologies assume enterprise-level resources: dedicated security operations teams, in-house legal counsel, and substantial testing budgets. For SMEs—defined in the EU context as organizations with fewer than 250 employees—these frameworks present an implementation barrier rather than a practical guide. Taiwan's Personal Data Protection Act does not differentiate obligations by company size, meaning SMEs face the same legal exposure as large corporations but with significantly fewer resources to manage compliance.

Finding 2: Spear Phishing Tests Process Personal Data and Trigger GDPR Obligations

The paper makes a legally significant argument: spear phishing tests, by design, require the collection, analysis, and application of employee personal information—names, roles, behavioral patterns, communication habits—to craft convincing fake communications. Under GDPR Article 4(2), this constitutes "processing" of personal data. This means organizations must establish a lawful basis for processing (Article 6), fulfill transparency obligations toward employees (Articles 13–14), and apply data minimization principles (Article 5(1)(c)). Failing to do so before launching a test creates a situation where the security activity itself becomes a compliance violation—precisely the kind of risk that a Data Protection Impact Assessment is designed to identify and mitigate before processing begins.

Finding 3: The PoinTER Framework Provides a Structured, GDPR-Aligned Testing Protocol

The PoinTER (Prepare-Test-Remediate) framework addresses the above gaps through a three-phase structure. The Prepare phase requires organizations to: establish the lawful basis for the test, communicate a testing policy to employees (without disclosing specific timing), complete a privacy risk assessment, and define the boundaries of permissible data collection. The Test phase governs the actual simulation, constraining data use to the stated purpose and minimum necessary scope. The Remediate phase mandates immediate feedback to employees, targeted education for those who failed the test, and secure disposal of all personal data collected during the exercise. This three-phase logic maps directly onto ISO 27701's accountability and data lifecycle management requirements.

Implications for Taiwan's Privacy Information Management Practice

For Taiwanese businesses, the PoinTER research surfaces three compliance gaps that are currently underaddressed in most organizational privacy programs.

First, employee security testing is rarely classified as a "personal data processing activity" in Taiwan. Most organizations treat phishing simulations as a pure IT security function, outside the scope of their Privacy Information Management System (PIMS). This means the activity lacks a processing record, a legal basis designation, and a data retention policy—all of which are required under both ISO 27701 and Taiwan's Personal Data Protection Act Article 19.

Second, DPIA triggering conditions need to be reassessed. Under GDPR Article 35 and the corresponding guidance from the European Data Protection Board (EDPB), activities involving systematic monitoring of employees typically qualify as high-risk processing and require a mandatory Data Protection Impact Assessment. Taiwanese businesses with European employees, customers, or data flows are subject to this requirement. The ISO/IEC 29134 Privacy Impact Assessment Guidelines provide the international standard methodology for conducting such assessments and can be integrated with the PoinTER framework's Prepare phase.

Third, outsourced testing creates an unmanaged data processor relationship. Many Taiwanese SMEs engage third-party vendors to conduct phishing simulations. Without a formal data processing agreement specifying the vendor's obligations—data scope, purpose limitation, deletion timeline—this arrangement creates a compliance gap under both GDPR Article 28 and Taiwan's Personal Data Protection Act Article 8. The ePrivacy Regulation, once finalized, may further tighten rules around electronic communications monitoring, adding another layer of scrutiny to simulated phishing emails.

How Winners Consulting Services Co. Ltd. Supports Taiwanese Enterprises

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）assists Taiwanese enterprises in implementing ISO 27701, establishing personal data protection mechanisms compliant with GDPR and Taiwan's Personal Data Protection Act, and conducting DPIA assessments. For the specific challenge identified in this research, we recommend the following action sequence:

1. Months 1–2: Audit and Classify Existing Testing Activities — Inventory all employee security awareness testing programs, including outsourced engagements. Classify each activity by its personal data processing implications and assess compliance status against Taiwan's Personal Data Protection Act Article 19 and ISO 27701 processing record requirements.
2. Months 3–6: Implement PoinTER-Aligned SOPs and Complete DPIA — Design standard operating procedures for each phase of the PoinTER framework, establish employee testing policies, complete a formal privacy risk assessment, and—for GDPR-scoped operations—finalize DPIA documentation. Update vendor contracts to include data processing clauses.
3. Months 7–12: Integrate into PIMS and Pursue ISO 27701 Certification — Embed the testing compliance controls into the broader ISO 27701 management cycle, conduct internal audits, and initiate third-party certification to provide external validation of the organization's privacy governance maturity.

Frequently Asked Questions

Does our phishing simulation program need a DPIA before we run it?

If the simulation involves collecting or using employee personal data to craft targeted content, it likely qualifies as high-risk processing under GDPR Article 35, requiring a Data Protection Impact Assessment before the activity begins. The PoinTER framework explicitly builds DPIA completion into its Prepare phase. Even for Taiwan-domestic operations, conducting a privacy risk assessment aligned with ISO/IEC 29134 is considered best practice under ISO 27701 and demonstrates accountability under Taiwan's Personal Data Protection Act.

How does ISO 27701 govern employee security testing activities specifically?

ISO 27701 requires organizations to maintain records of all personal data processing activities (Control 7.2.1), establish lawful processing bases (Control 7.2.3), and implement data minimization (Control 7.4.2). Employee security tests that involve personal data must appear in the Records of Processing Activities, with documented legal basis, data scope, retention period, and deletion procedures. Auditors increasingly scrutinize this area during ISO 27701 certification assessments. Organizations should complete documentation gaps at least 3 months before a planned certification audit.

What should a vendor contract for outsourced phishing testing include?

Under GDPR Article 28 and Taiwan's Personal Data Protection Act Article 8, contracts with testing vendors must specify: the categories of employee data the vendor may access, the exclusive purpose for which data may be used (security awareness testing only), data retention limits and secure deletion obligations, prohibitions on secondary use or onward transfer, and the right to audit the vendor's compliance. ISO 27701 Annex B provides a checklist of data processor controls that can serve as a vendor evaluation standard.

What is a realistic implementation timeline and budget for a Taiwanese SME?

Based on Winners Consulting's advisory experience, SMEs with 50–200 employees typically complete PoinTER framework integration and ISO 27701 certification preparation within 6–9 months. The first 3 months concentrate on gap assessment, documentation design, and policy communication—requiring approximately 8–10 hours per week from an internal coordinator. External advisory costs vary by scope, but the investment is generally offset within 12–18 months through reduced regulatory risk exposure and improved B2B client trust, particularly in European markets where ISO 27701 certification is increasingly a procurement requirement.

Why engage Winners Consulting Services Co. Ltd. for PIMS implementation?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) brings cross-jurisdictional expertise spanning ISO 27701, GDPR, and Taiwan's Personal Data Protection Act—a combination essential for organizations operating across borders or managing international data flows. Our approach emphasizes building privacy management mechanisms that function operationally, not merely satisfy documentation requirements for certification. For SMEs, we design right-sized implementation plans that avoid over-engineering while ensuring genuine compliance. Our complimentary diagnostic assessment provides an immediate gap analysis and a prioritized roadmap, helping organizations make informed decisions about where to invest compliance resources for maximum impact.

日本語版

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）は、従業員を対象としたペネトレーションテスト（Human Pentesting）が、GDPRおよび台湾個人情報保護法のもとでコンプライアンス違反を引き起こすリスクを持つことを指摘します。2018年にArchibaldとRenaud（K. Renaud、h-index：34、累計引用数5,253件超）が提唱したPoinTER（Prepare-Test-Remediate）フレームワークは、中小企業（SME）が従業員のセキュリティ意識テストをGDPR準拠の方法で実施するための構造的アプローチを提供しており、ISO 27701の管理要件とも高度に整合しています。