The Information Commissioner’s Office (ICO) has warned that organisations could be punished for existing vulnerabilities when the EU General Data Protection Regulation (GDPR) is enforced.
Although the GDPR won’t take effect until 25 May 2018, organisations that fail to identify and patch vulnerabilities before this date face strict disciplinary measures. The ICO has said that fines will be a last resort, and the Regulation’s maximum penalty (€20 million (about £17.8 million) or 4% of annual global turnover – whichever is greater) will be reserved for only the most egregious violations, but any disciplinary action could be costly.
Any non-compliant organisation faces enforcement actions, including an investigation into their practices and a mandate to address any processes that fall short of the GDPR’s requirements.
Nigel Houlden, head of technology policy at the ICO, said: “[T]here may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously.”
He added: “We therefore strongly recommend that organisations determine which of their systems are vulnerable, and test and apply the patches as a matter of urgency. Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty.”
Preparing for the GDPR
New laws aren’t usually retroactive, but the ICO’s statement acknowledges the importance of patch management. There are a handful of ways that organisations can manage patches, but the process should always involve regular penetration testing.
Penetration testing is essentially a controlled form of hacking in which a professional tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks or applications.
Testing offers an affordable, repeatable method for identifying vulnerabilities in your infrastructure and web applications. It also demonstrates that your organisation takes security seriously, which will strengthen your stakeholders’ trust and mitigate any regulatory action from supervisory authorities in the event of a breach.
Free webinar: how can penetration testing support your GDPR project?
Many people have little experience with penetration testing, so we’ve developed a webinar filled with practical advice on how you can use penetration testing to help comply with the GDPR. Compliance solutions: how can penetration testing support your GDPR project? is hosted by IT Governance’s founder and executive chairman, Alan Calder, and head of technical services, David Grove, and explains how penetration testing can help organisations comply with the GDPR. It covers:
- Penetration testing and its role in demonstrating GDPR compliance;
- Implementing technical measures to ensure data security and compliance with Article 32 of the GDPR;
- Why penetration tests are vital in uncovering vulnerabilities before criminals do; and
- How to meet legislative and regulatory requirements and achieve an integrated approach with standards such as the PCI DSS, ISO 27001 and the GDPR.