Penetration testing and vulnerability scanning for GDPR

Request a quote
19 Aug, 2020

Penetration testing and vulnerability scanning for GDPR

GDPR completed its second anniversary in May this year. In one of our earlier articles, we discussed how NYDFS Cybersecurity Requirements for Financial Services Companies is a rare regulation that explicitly states penetration testing and vulnerability assessments. Unlike NYDFS, GDPR does not explicitly cover either of these, which leads to a lack of clarity. In this article, we discuss whether GDPR requires penetration testing and vulnerability scanning.

If you quickly read all the articles on GPDR, you will initially believe that GDPR may not require either vulnerability scanning or penetration testing. However, there is a catch under Article 32.

What does Article 32 say?

Article 32(1) reads as follows:

“Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller, and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • the pseudonymization and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.”

Read the first highlighted part. GDPR expects data controllers and processors to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Further, it mentions certain minimum requirements such as pseudonymization, encryption, CIA triad, resiliency, and implementing a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of the processing.

Where do vulnerability scanning and penetration testing fit?

Read the second highlighted part now. If your organization is processing personal information of EU residents, GDPR requires you to maintain a resilient IT infrastructure wherein your organizational and security measures are working effectively. If one carefully looks at how data flows inside an organizational network, it is very likely to note that personal data would often be scattered across systems for various business use cases and purposes. We have seen with most of our clients that their data or a part thereof is hosted on a cloud service.

To check the efficiency of organizational and technical measures, there is no better alternative yet as compared to conducting a vulnerability assessment, followed by a full-fledged penetration test. A penetration test ensures that the existing vulnerabilities are identified and mitigated before attackers exploit them with malicious intent.

What should you do?

Absolute security is a myth. However, that does not mean that an organization should be lackluster in its implementation of security measures to protect its IT infrastructure. In the current threat landscape, being proactive about organizational security is the most logical solution. Modern-day organizations cannot sit and wait for an attack to happen. Instead, they should be proactive in identifying loopholes, vulnerabilities, and flaws in their IT infrastructure. Once identified, they can be patched. Regular vulnerability scans and periodic penetration tests ensure that vulnerabilities are discovered and patched timely. Does this sound like a burden? Well, it is not.

SaaS platforms like BreachLock enable organizations to set the frequency of vulnerability scans and order penetration tests in a few clicks. We partner with our clients in their security testing initiatives so that not only their systems are secure, but they also fulfill their legal obligations and compliance requirements. Schedule a discovery call with our team today!