Penetration testing services for the GDPR
The General Data Protection Regulation (GDPR) recommends that you assess applications and critical infrastructure for security vulnerabilities and that the effectiveness of your security controls is tested regularly. Services such as penetration testing and regular vulnerability assessments can help meet this recommendation.
Compliance with the GDPR is motivating organisations worldwide to improve existing technical controls for securing personal information. Organisations should be especially aware that the GDPR amplifies the negative repercussions of a data security breach, meaning organisations can expect stiffer fines, penalties and reputational damage.
Organisations should now begin to redouble the implementation of information security controls and technologies, which include IT security monitoring, testing and measuring.
The importance of security testing for GDPR
Under the GDPR, all personal data breaches must be reported to the supervisory authority – in the UK, the Information Commissioner’s Office (ICO) – within 72 hours. Failure to report breaches attracts fines of up to €10 million or 2% of annual turnover – whichever is higher. Breaches or failure to uphold the sixth data processing principle (maintaining confidentiality and integrity of personal data) can attract fines of up to €20 million or 4% of annual turnover – whichever is higher.
The Cyber Security Breaches Survey 2017 found that virtually all UK businesses covered by the survey are exposed to cyber security risks. 61% hold personal data on their customers electronically. Worryingly, 46% of all UK businesses identified at least one cyber security breach or attack in the past 12 months. The survey also found that businesses that hold electronic personal data on customers are more likely than average to have experienced a breach.
How does penetration testing fit into my GDPR project?
A penetration test aims to determine whether and how an attacker can gain unauthorised access to assets that affect the fundamental security of your system. It provides real-world security testing of the security controls you believe are in place and functioning effectively. It’s a way to identify vulnerabilities that can be exploited to circumvent or defeat the security features of system components.
Managing and maintaining compliance requires a security infrastructure that can monitor and control the use and movement of data, identify the users who are using the data, restrict access to only those users who need to access it, and to render the data unintelligible in the event that it is accessed by an unauthorised user.
Article 32 requires organisations to implement technical measures to ensure data security. Although Article 32 gives examples of security measures, it does not provide a comprehensive list. It motivates an organisation to find, implement and revise effective security measures in light of the dangerous and rapidly changing information security threat landscape.
Speak to an expert
For more information and guidance on penetration testing or packages IT Governance offers, please contact our experts who will be able to discuss your organisations needs further.