Why penetration testing is essential for GDPR compliance

Article 32 of the EU GDPR (General Data Protection Regulation) requires organizations to implement technical measures to ensure data security.

Specifically, it highlights the need for “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

One of the most crucial parts of this is penetration testing. This is essentially a controlled form of hacking in which a professional tester, working on behalf of an organization, uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks or applications.

Organizations that fail to meet their Article 32 requirements – even if they avoid data breaches – could face hefty fines and enforcement action. This includes an investigation into their practices and a mandate to address any processes that fall short of the GDPR’s requirements.

How does penetration testing work?

Most organizations will recognise that the greatest threats exist where their systems are exposed to the Internet. Whether through malicious attacks or staff misuse, an organization’s systems are most likely to be compromised wherever internal systems meet the external environment.

Although it is possible to completely secure a network by closing it off from the outside world, most organizations need the logical perimeter to be porous to some degree.

This means will inevitably face the prospect of defects in their systems, whether it’s their web servers, web browsers, email clients, point-of-sale software, operating systems or server interfaces.

Unless organizations can identify and correct vulnerabilities, they leave themselves exposed to cyber attackers. This is where penetration testing fits in.

They provide a final, end-of-state check to make sure all the necessary security controls have been implemented correctly. They can also be used in the early stages of developing new processing systems to identify potential risks to personal data.

Moreover, they can be performed across the whole organisation looking at the risk from a human element to your applications and infrastructure depending on where personal data is held or accessed.

Get started with penetration testing

Penetration tests offer an affordable, repeatable method for identifying vulnerabilities in your infrastructure and web applications.

It also demonstrates that your organization takes security seriously, which will strengthen your stakeholders’ trust and mitigate any regulatory action from supervisory authorities in the event of a breach.

You can find out more by reading Penetration testing and the GDPR.

This free download goes into further detail about how testing works and the GDPR’s requirements.

It also explains how you can fit your testing needs around your security and budgetary requirements, and provides advice on how you can get started – including an example of a GDPR testing regime.

A version of this blog was originally published on 15 May 2018.