GDPR Compliance
GDPR applies to all organizations doing business in the European Union (EU) or with EU citizens. Penetration Testing is an important part of meeting GDPR compliance, and will also identify risks associated with data breaches that include the personal data of EU residents.
Failure to comply with GDPR can lead to penalties of up to €20 Million or 4% of an organisations worldwide gross annual revenue and can have serious consequences for your bottom line, customer relationships, and brand image.
These regulations and penalties also apply to companies outside of the EU.
…the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Penetration testing is one of the measures mentioned in Article 32 of the EU General Data Protection Regulation (GPDR), which outlines organisations’ need to put in place defences appropriate to the risks they face.
This requirement tells us that regular security testing which includes; penetration testing, vulnerability assessments, and security audits are a requirement under GDPR in order to meet compliance.
Penetration tests are crucial. They provide a final, end-of-state check to make sure all the necessary security controls have been implemented correctly. They can also be used in the early stages of developing new processing systems to identify potential risks to personal data.
Are we required to ensure our security measures are effective?
Yes, the GDPR specifically requires you to have a process for regularly testing, assessing and evaluating the effectiveness of any measures you put in place. What these tests look like, and how regularly you do them, will depend on your own circumstances. However, it’s important to note that the requirement in the GDPR concerns your measures in their entirety, therefore whatever ‘scope’ you choose for this testing should be appropriate to what you are doing, how you are doing it, and the data that you are processing.
Technically, you can undertake this through a number of techniques, such as vulnerability scanning and penetration testing. These are essentially ‘stress tests’ of your network and information systems, which are designed to reveal areas of potential risk and things that you can improve.
In some industries, you are required to undertake tests of security measures on a regular basis. The GDPR now makes this an obligation for all organisations. Importantly, it does not specify the type of testing, nor how regularly you should undertake it. It depends on your organisation and the personal data you are processing.
You can undertake testing internally or externally. In some cases it is recommended that both take place.
Whatever form of testing you undertake, you should document the results and make sure that you act upon any recommendations, or have a valid reason for not doing so, and implement appropriate safeguards. This is particularly important if your testing reveals potential critical flaws that could result in a personal data breach.