Penetration testing services for the GDPR

The General Data Protection Regulation (GDPR) recommends that you assess applications and critical infrastructure for security vulnerabilities and that the effectiveness of your security controls is tested regularly. Services such as penetration testing and regular vulnerability assessments can help meet this recommendation.

Compliance with the GDPR is motivating organisations worldwide to improve existing technical controls for securing personal information. Organisations should be especially aware that the GDPR amplifies the negative repercussions of a data security breach, meaning organisations can expect stiffer fines, penalties and reputational damage.

Organisations should now begin to redouble the implementation of information security controls and technologies, which include IT security monitoring, testing and measuring.

The importance of security testing for GDPR

Under the GDPR, all personal data breaches must be reported to the supervisory authority – in Ireland, Data Protection Commission (DPC) – within 72 hours. Failure to report breaches attracts fines of up to €10 million or 2% of annual turnover – whichever is higher. Breaches or failure to uphold the sixth data processing principle (maintaining confidentiality and integrity of personal data) can attract fines of up to €20 million or 4% of annual turnover – whichever is higher.

How does penetration testing fit into my GDPR project?

A penetration test aims to determine whether and how an attacker can gain unauthorised access to assets that affect the fundamental security of your system. It provides real-world security testing of the security controls you believe are in place and functioning effectively. It’s a way to identify vulnerabilities that can be exploited to circumvent or defeat the security features of system components.

Managing and maintaining compliance requires a security infrastructure that can monitor and control the use and movement of data, identify the users who are using the data, restrict access to only those users who need to access it, and to render the data unintelligible in the event that it is accessed by an unauthorised user.

Article 32 requires organisations to implement technical measures to ensure data security. Although Article 32 gives examples of security measures, it does not provide a comprehensive list. It motivates an organisation to find, implement and revise effective security measures in light of the dangerous and rapidly changing information security threat landscape.

Speak to an expert

For more information and guidance on penetration testing and the EU GDPR, please contact our experts who will be able to discuss your organisations needs further.