This website uses cookies. View our cookie policy
United Kingdom
Select regional store:

Penetration testing services for the GDPR

The General Data Protection Regulation (GDPR) recommends that you assess applications and critical infrastructure for security vulnerabilities and that the effectiveness of your security controls is tested regularly. Services such as penetration testing and regular vulnerability assessments can help meet this recommendation.


Compliance with the GDPR is motivating organisations worldwide to improve existing technical controls for securing personal information. Organisations should be especially aware that the GDPR amplifies the negative repercussions of a data security breach, meaning organisations can expect stiffer fines, penalties and reputational damage.

Organisations should now begin to redouble the implementation of information security controls and technologies, which include IT security monitoring, testing and measuring.


The importance of security testing for GDPR

The Cyber Security Breaches Survey 2017 found that virtually all UK businesses covered by the survey are exposed to cyber security risks. 61% hold personal data on their customers electronically. Worryingly, 46% of all UK businesses identified at least one cyber security breach or attack in the past 12 months. The survey also found that businesses that hold electronic personal data on customers are more likely than average to have experienced a breach.

Under the GDPR, all personal data breaches must be reported to the supervisory authority – in the UK, the Information Commissioner’s Office (ICO) – within 72 hours. Failure to report breaches attracts fines of up to €10 million or 2% of annual turnover – whichever is higher. Breaches or failure to uphold the sixth data processing principle (maintaining confidentiality and integrity of personal data) can attract fines of up to €20 million or 4% of annual turnover – whichever is higher.


How does penetration testing fit into my GDPR project?

A penetration test aims to determine whether and how an attacker can gain unauthorised access to assets that affect the fundamental security of your system. It provides real-world security testing of the security controls you believe are in place and functioning effectively. It’s a way to identify vulnerabilities that can be exploited to circumvent or defeat the security features of system components.

Managing and maintaining compliance requires a security infrastructure that can monitor and control the use and movement of data, identify the users who are using the data, restrict access to only those users who need to access it, and to render the data unintelligible in the event that it is accessed by an unauthorised user.

Article 32 requires organisations to implement technical measures to ensure data security. Although Article 32 gives examples of security measures, it does not provide a comprehensive list. It motivates an organisation to find, implement and revise effective security measures in light of the dangerous and rapidly changing information security threat landscape.


Our GDPR penetration testing solution

What can you expect from a GDPR penetration test?

IT Governance’s testing portfolio covers a wide range of applications, networks and devices.

Our CREST-certified testers will test your network infrastructure and information systems to see how far an attacker would actually be able to progress within your cardholder data environment.


Our approach

Our approach starts with an agreement on the scope of testing. Depending on your needs, the engagement will include the following:

  • External penetration testing
  • Internal penetration testing
  • Validation of any segmentation and scope-reduction controls


What will my service cover?

  • A review of the infrastructure to identify information that would be useful to a criminal hacker.
  • Manual tests to identify exploitable vulnerabilities.
  • Automated vulnerability scans.
  • Immediate notification of any critical vulnerabilities to help you take action fast.
  • A detailed technical report that identifies and explains the vulnerabilities (ranked in order of significance).
  • Recommended countermeasures to address any identified vulnerabilities.
  • An executive summary that explains what the risks mean in business terms.

Get in contact

We have a team of account managers and security consultants available to discuss your GDPR challenges. For more information, please get in contact.

Speak to an expert

Please contact us for further information or to speak to an expert.

Contact us