Penetration Testing for GDPR
Penetration Testing for GDPR
Feb 1 2019Before we get into how penetration testing is required in order to meet GDPR compliance, let’s take a quick look at what GDPR is all about..
A Quick Summary of GDPR
The General Data Protection Regulation (GDPR) is an EU regulation implemented into EU law which covers data protection and privacy for individuals who live in the European Union. The regulation came into effect on the 28th of May 2018 and covers both personal, and sensitive data of those individuals.
Article 4 defines the difference between data controllers and processors, and what their duties are in enabling the rights of a data subject.
Article 37 covers Data Protection Officers (DPO). It requires that processors and controllers designate a DPO where their core activities consist of the regular and systematic monitoring of personal data or the processing of special categories of personal data on a large scale. The DPO shall act independently of the controller or processor, reporting directly to the highest management level.
The regulation gives data subjects rights such as;
- The Right to Be Forgotten: Data subjects have the right to request the controller to erase his or her personal data without undue delay where: the data is no longer necessary for the purposes collected; the data subject withdraws consent; or the data subject objects to data processing
-
The Right to Object to Processing: Data subjects have a right to object to the processing of their data unless the controller demonstrates compelling, legitimate grounds for processing. If their personal data is being used for direct-marketing purposes then the data subject has a right to object at any time. Furthermore, data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
- Consent: Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing.
It is important to note that the GDPR also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.
Data Breach Notifications
According to Article 33; The controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
According to Article 34; When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
Penetration Testing
Article 32 requires that the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including;
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
This requirement tells us that regular security testing which includes; penetration testing, vulnerability assessments, and security audits are a requirement under GDPR in order to meet compliance. A penetration test will be able to test the effectiveness of encryption controls, as well as the level of confidentiality, availability, and integrity in a data processing system.
Conclusion
Penetration Testing is an important part of meeting GDPR compliance, and will also identify risks associated with data breaches that include the personal data of EU residents. Currently a failure to comply with GDPR can lead to penalties of up to €20 Million or 4% of an organisations worldwide gross annual revenue. These regulations and penalties also apply to companies outside of the EU — which could include your organisation.
Core Sentinel can help you meet the security testing requirements of GDPR. Our penetration tests will also mitigate against the risk of a data loss from a security point of view by identifying weak points in your systems that could lead to compromise. Call Today for a Free Quote.
Other articles you may like:
The Definitive Guide to Penetration Testing
Black Box vs. White Box Testing: Key Differences Every Organisation Should Know