GDPR and Penetration Testing

GDPR has already been endorsed as the most stringent data protection regulation after it was passed in April 2016. Coming into effect on May 25, 2018, organizations dealing with the data of EU residents continue to face a dilemma as to what are their responsibilities under this regulation. Questions related to GDPR often revolve around what should be tested in order to show compliance with GDPR.

On the other hand, penetration testing has been an integral part of an organization’s security strategy in the last few years since it simulates a real-life attack on its technical infrastructure to identify existing vulnerabilities and loopholes. So, where does penetration testing fit in GDPR? In this article, we will explore various real-life situations where an organization should consider its penetration testing requirements in the context of GDPR.

To start with, Article 32(1) mentions various technical and organizational measures that should be implemented by a controller or a processor. One of the recommended measures specifies –
a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Without a doubt, the statement given above is a bit vague but as a rule of thumb, any system where personal data is stored must be tested. In addition, Article 32 also specifies that data processors and controllers are required to implement the appropriate level of security mechanisms appropriate to their organizational risks which may include –Your organization’s testing plan for GDPR shall have the following components –

  • Periodic intervals in which penetration tests and vulnerability assessments must be conducted
  • Half-yearly or yearly activities for checking –
    • Network Segmentation
    • Mitigation of Existing Vulnerabilities
    • Impact Assessment
    • Social Engineering Simulation Tests
    • Internal and External Vulnerability Scans
  • Awareness campaigns and training programs for employees


After an external vendor or your internal team conduct a GDPR penetration testing, the real value is realized when a penetration testing report is delivered, and the top management is briefed about the outcomes of the process. A penetration report should include –

  • Executive summary entailing business risks, potential impact, and possible solutions for mitigating risks
  • Technical description of the tests performed
  • Prioritization of vulnerabilities
  • Solutions for each vulnerability
  • Recommendations
  • Mitigation Timeline


GDPR requires an organization to continuously monitor and have control over the movement of personal data along with implementing the required mechanisms to control access levels and render the data unusable to an unintended user. Without a doubt, the list of measures prescribed by Article 32 is not comprehensive. However, it is an organization’s responsibility to demarcate the assets important for your business so that you can spend a sufficient amount of financial resources. Before starting the testing process, matching critical systems with high-risk threats will ensure that you receive an optimum return on investment.

Protect your business and stay compliant with GDPR regulations by taking action now. Schedule a discovery call today to identify any potential security vulnerabilities and safeguard your sensitive data. Don’t wait until it’s too late – prioritize your business’s security with GDPR and penetration testing today.

Industry recognitions we have earned

reuters logo cybersecurity_awards_2024 logo winner logo csba logo hot150 logo bloomberg logo top-infosec logo

Fill out the form below to let us know your requirements.
We will contact you to determine if BreachLock is right for your business or organization.

background image