Article 32 of the Regulation requires organisations to implement technical measures to ensure data security. It outlines specific measures and highlights the need for “[A] process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing”.
Defects in web servers, web browsers, email clients, point-of-sale (POS) software, operating systems and server interfaces can allow attackers to gain access to an environment. However, to patch these vulnerabilities, you need to identify them first.
For GDPR compliance, penetration tests are crucial because they provide a final, end-of-state check to make sure all the security controls required have been implemented correctly. They can also be used in the early stages of developing new processing systems to identify potential risks to personal data.
- The GDPR’s requirements for security testing;
- Testing to fit security and budgetary requirements;
- Guidance for penetration testing; and
- An example of a GDPR testing regime.
Download this green paper for practical guidance on how to conduct a penetration test that supports GDPR compliance.