Insight: POINTER:a GDPR-compliant framework for human pentesting (for

About the Authors and This Research

This paper was co-authored by Jackie Archibald and Professor K. Renaud, both affiliated with UK academic institutions. Professor Renaud is a prominent researcher in privacy, human-computer interaction, and security usability, with an h-index of 34 and over 5,253 cumulative citations—a level of academic influence that places her work among the most-referenced voices in European privacy policy and secure system design. The paper was published on arXiv in 2018, coinciding precisely with the enforcement date of the EU General Data Protection Regulation (GDPR) on May 25, 2018, giving it immediate policy relevance.

The research addresses a fundamental contradiction in organizational security practice: while human penetration testing (pentesting) is widely adopted to assess employee resilience against social engineering attacks, the most effective form of such testing—spear phishing—requires the collection and use of personally identifiable information (PII) about specific employees. Under GDPR Article 6 (lawfulness of processing) and Article 13 (transparency obligations), conducting such tests without proper legal basis, employee notification, or a Data Protection Impact Assessment (DPIA) may constitute a violation of data protection law. The authors propose the PoinTER (Prepare-Test-Remediate) framework as a structured methodology that reconciles security testing objectives with GDPR compliance requirements, with particular attention to the constraints and resource limitations faced by SMEs.

Core Findings: A Three-Stage Framework for GDPR-Compliant Employee Pentesting

The PoinTER framework's most significant contribution is its systematic integration of GDPR compliance requirements into the full lifecycle of human pentesting, addressing two gaps simultaneously: the lack of SME-oriented frameworks and the absence of privacy-by-design principles in existing methodologies.

Finding 1: Existing Human Pentesting Frameworks Are Not GDPR-Ready

The research demonstrates that the majority of employee security awareness testing frameworks—including commercially available simulation tools—were not designed with GDPR in mind. Spear phishing tests, by their nature, require the use of employee names, job titles, organizational relationships, and other personal identifiers to craft convincing, targeted deception emails. Under GDPR, this constitutes personal data processing that requires a lawful basis, transparency toward data subjects, and in many cases, a formal Data Protection Impact Assessment. The absence of these safeguards exposes organizations—especially SMEs without dedicated Data Protection Officers (DPOs)—to significant regulatory risk. The authors further note that the legal basis most commonly invoked for such testing (legitimate interests under GDPR Article 6(1)(f)) requires a balancing test that few organizations formally document.

Finding 2: The PoinTER Framework Provides a Viable Path to Compliance

The PoinTER framework structures employee pentesting into three phases: Prepare (establishing legal basis, conducting privacy risk assessment, defining scope boundaries), Test (minimizing personal data use, avoiding unnecessary identification of individual employees), and Remediate (secure storage of results, data minimization, structured employee education). This architecture aligns closely with the ISO/IEC 29134 Privacy Impact Assessment standard and the control requirements in ISO 27701 Annex A. The framework was validated through expert review rather than large-scale empirical testing—a methodological limitation the authors acknowledge, and one that Taiwan enterprises should consider when directly applying the framework without contextual adaptation.

Implications for Taiwan Enterprises: ISO 27701, GDPR, and the Personal Data Protection Act

The PoinTER framework carries direct implications for Taiwan enterprises pursuing ISO 27701 certification or managing cross-border GDPR obligations. Taiwan's Personal Data Protection Act (個人資料保護法) Article 5 requires that personal data collection, processing, and use be limited to specific purposes and not exceed necessary scope. Article 19 further restricts non-government organizations from collecting personal data beyond legally defined circumstances. Employee security testing that uses personal data without explicit notification in employment contracts or internal policies may trigger compliance exposure under both Taiwan law and GDPR.

From an ISO 27701 perspective, Annex A requires organizations to systematically document all personal data processing activities (aligned with GDPR Article 30's Record of Processing Activities requirement). Employee pentesting activities that involve personal data should be formally registered in the organization's RoPA and subjected to a privacy risk assessment prior to execution. The European Data Protection Board (EDPB)'s 2026-2027 work programme, which includes the development of standardized DPIA templates, provides a timely reference point for Taiwan enterprises seeking to align their internal procedures with international best practice.

Additionally, the EDPB's Coordinated Enforcement Framework (CEF) report on the Right to Erasure (GDPR Article 17) highlights backup data deletion and anonymization validity as among the most commonly identified compliance gaps in supervisory audits. Taiwan enterprises using employee test result data should establish clear retention schedules and verifiable deletion procedures to avoid similar findings in ISO 27701 certification audits.

Winners Consulting's Approach: Building GDPR-Compliant Employee Privacy Management

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) provides end-to-end ISO 27701 implementation support for Taiwan enterprises, including DPIA execution, Record of Processing Activities development, and employee privacy governance design. Based on the findings of the PoinTER framework, we recommend the following three action priorities:

1. Audit existing employee security testing activities for personal data compliance: Map all personal data types used in phishing simulations, social engineering tests, and security awareness assessments against the lawful processing requirements of Taiwan's Personal Data Protection Act Article 19 and GDPR Article 6. Verify whether these activities are documented in the organization's RoPA as required by ISO 27701 Annex A.
2. Redesign testing protocols using PoinTER's three-stage structure with embedded DPIA: Apply the ISO/IEC 29134 Privacy Impact Assessment framework at the Prepare phase to evaluate proportionality and necessity of personal data use. Update employee handbooks and labor contracts to include transparent disclosure of security testing activities, satisfying GDPR Article 13 transparency obligations and Taiwan Personal Data Protection Act Article 8 notification requirements.
3. Establish closed-loop governance for employee personal data processing: Define retention periods for test results, implement access controls, and create standard operating procedures for employee exercise of data subject rights (GDPR Articles 15-17; Taiwan Personal Data Protection Act Article 10). Given EDPB's enforcement focus on the Right to Erasure and backup data deletion, proactive governance in this area will reduce audit risk in both GDPR enforcement contexts and ISO 27701 certification reviews.

Frequently Asked Questions

What GDPR and Taiwan Personal Data Protection Act requirements apply to employee phishing simulation tests?

Employee phishing simulation tests must satisfy three compliance prerequisites before execution. First, a lawful processing basis must be established under GDPR Article 6 and Taiwan Personal Data Protection Act Article 19—typically through explicit disclosure in employment contracts or internal security policies. Second, if the test uses personally identifiable information (such as employee names, job titles, or organizational relationships), a Data Protection Impact Assessment (DPIA) is required to evaluate necessity and proportionality. Third, test results that constitute personal data records must be subject to defined retention periods, access controls, and deletion procedures. The PoinTER framework (Archibald & Renaud, 2018) documents that bypassing these requirements represents a material GDPR compliance risk, a finding equally applicable to Taiwan enterprises aligning with ISO 27701.

What are the most common ISO 27701 compliance gaps related to employee personal data management in Taiwan enterprises?

Based on Winners Consulting's implementation experience, the three most frequently identified gaps in Taiwan enterprise ISO 27701 audits related to employee data are: incomplete Subject Access Request (SAR) handling procedures that fail to address employees as data subjects; HR department processing activities not included in the organization's Record of Processing Activities (RoPA), creating coverage blind spots in ISO 27701 Annex A compliance; and security testing activities—including phishing simulations and performance assessments involving personal data—not subjected to formal privacy risk assessments prior to execution. Taiwan's Personal Data Protection Act Article 11, which requires accuracy maintenance for personal data, also generates frequent findings in HR data management audits.

How long does ISO 27701 certification take, and what are the key implementation steps?

ISO 27701 certification typically requires 7 to 12 months, depending on organizational size and whether ISO 27001 certification is already in place. Organizations with existing ISO 27001 certification can complete the ISO 27701 extension in 3 to 6 months. Organizations building from the ground up should budget 9 to 12 months. The standard implementation sequence includes: ① gap analysis and current-state assessment (4-6 weeks); ② privacy policy and procedure design (6-8 weeks); ③ DPIA execution and RoPA development (4-6 weeks); ④ internal audit and management review (4 weeks); ⑤ third-party certification audit (2-4 weeks). Taiwan enterprises should simultaneously map these steps against Taiwan Personal Data Protection Act obligations to ensure certification scope covers local regulatory requirements.

What are the resource requirements and expected benefits for SMEs implementing PoinTER or ISO 27701?

The PoinTER framework was explicitly designed with SME resource constraints in mind, making it a practical reference for Taiwan's mid-market enterprises. For organizations with 50-200 employees, primary ISO 27701 implementation costs include consulting fees, employee training time (approximately 16-24 hours per key personnel), and third-party certification audit fees. Expected benefits include reduced financial exposure from personal data violations (GDPR maximum penalties reach 4% of global annual turnover), and tangible competitive advantages in vendor due diligence and enterprise procurement qualification processes. ENISA's SME cybersecurity guidelines specifically note that SMEs with formal privacy compliance frameworks show significantly higher selection rates in supply chain security evaluations.

Why should Taiwan enterprises choose Winners Consulting for PIMS-related advisory?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) is Taiwan's specialized advisory firm for Privacy Information Management System (PIMS) implementation, with proven ISO 27701 certification support experience across manufacturing, financial services, technology, and SME sectors. Our core competitive advantage lies in simultaneous expertise across three regulatory frameworks—GDPR, Taiwan's Personal Data Protection Act, and ISO 27701—enabling enterprises to build unified cross-jurisdictional compliance mechanisms without duplicating effort. We deliver end-to-end services from complimentary PIMS diagnostic assessments, gap analysis, DPIA execution, and RoPA development through to certification audit preparation, helping enterprises achieve ISO 27701 certification within 7 to 12 months. Contact us to schedule your complimentary diagnostic assessment.

日本語版 / Japanese Version

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）は、台湾における隱私情報管理システム（PIMS）の専門コンサルティング会社として、2018年にRenaud教授（h-index: 34、累積引用数5,253回以上）とArchibaldが提唱したPoinTERフレームワークが示す重要な知見に注目しています。すなわち、従業員を対象とした人的ペネトレーションテスト（Human Pentesting）、特にスピアフィッシングシミュレーションは、GDPR上の個人データ処理義務に違反するリスクを内包しており、ISO 27701認証を目指す中小企業（SMEs）にとって見落とされがちなコンプライアンス上の盲点となっています。