Penetration testing services for the GDPR
The GDPR (General Data Protection Regulation) recommends that you assess applications and critical infrastructure for security vulnerabilities and regularly test the effectiveness of your security controls. Services such as penetration testing and regular vulnerability assessments can help meet this recommendation.
Compliance with the GDPR is motivating organizations worldwide to improve existing technical measures for securing personal information. Organizations should be especially aware that the GDPR amplifies the negative repercussions of a data security breach, meaning organizations can expect stiffer fines, penalties, and reputational damage.
Organizations should now begin to redouble the implementation of information security controls and technologies, including security monitoring, testing, and measuring.
The importance of security testing for GDPR
The average cost of a data breach is now $3.62 million according to research by Ponemon Institute, and one in four organisations experience a breach. On average, 24,089 records are lost in a data breach at an average cost of $141 each.
Under the GDPR, all personal data breaches of EU residents must be reported to the relevant supervisory authority within 72 hours. Failing to report breaches may attract fines of up to €10 million or 2% of annual global revenue – whichever is greater. Data breaches or failure to uphold the data processing principles can attract fines of up to €20 million or 4% of annual global revenue – whichever is greater.
How does penetration testing fit into my GDPR project?
A penetration test aims to determine whether and how an attacker could gain unauthorized access to assets that affect the security of your system. It provides real-world security testing of the security controls you believe are in place and functioning effectively. It’s a way to identify vulnerabilities that can be exploited to circumvent or defeat your security.
Managing and maintaining compliance requires a security setup that can monitor and control the use and movement of data, identify who is using the data, restrict access to only those users who need to access it, and render the data unintelligible in the event that it is accessed by an unauthorized user.
Article 32 requires organizations to implement technical measures to ensure data security. Although it gives examples of security measures, it does not provide a comprehensive list. It motivates an organization to find, implement, and review effective security measures in light of the rapidly changing information security threat landscape.
Get in contact
We have a team of account managers and security consultants available to discuss your GDPR challenges. For more information, please get in touch.