If you’re a company that needs to comply with the General Data Protection Regulation (GDPR), you’re probably wondering whether or not you need to run penetration tests. Penetration testing assessing and evaluating corporate infrastructure is a critical part of any security program, but is it needed by law to protect personal data from a data breach?
In this article, we’ll cover whether or not GDPR compliance demands that you perform penetration tests. We’ll also review the market for GDPR penetration testing services. Regardless, regular penetration tests are absolutely worthwhile to validate technical and organizational measures.
NOTE: If you’re considering a penetration test for GDPR, our free tool below matches you with a top-rated vendor that can meet your needs and budget.
- Does GDPR Require Penetration Testing?
- Penetration Testing Requirements for GDPR
- Is Vulnerability Assessment Enough?
- CISO's Recommendation on Pentesting for GDPR
- How Much is Penetration Testing for GDPR?
- Are there Vendors for GDPR Pentesting Specifically?
- Final Thoughts
- Find the Right Pentest Provider Fast
Does GDPR Require Penetration Testing?
In short, no. There’s no specific GDPR compliance requirement that says, “Thou shall perform penetration tests.”
That being said, there are GDPR requirements that are well-served by penetration testing. The rationale is very similar to ISO 27001. ISO 27001 requires, in numerous places, that the effectiveness of technical and organizational measures be validated. The theory behind that is that effective technical and organizational measures protect customer’s personal data and other customer data from data breaches.
Article 32 of the GDPR regulations (which I’ve also seen colloquially referred to as the Data Protection Act) requires that entities engaged in data processing, “shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk….” Some security assessments typically determine the appropriateness of security measures vis-a-vis risk.
That security assessment doesn’t have to be a penetration test. It could be or could include vulnerability scanning and other security assessments. That being said, penetration testing is ideally suited to evaluating the effectiveness and appropriateness of security controls.
Penetration Testing Requirements for GDPR
GDPR compliance efforts require that you ensure data security. Article 32 provides a few examples of the requirements for securing the personal data of European Union (EU) citizens. Some of those mechanisms include:
- Data encryption and identification,
- Assuring the confidentiality, integrity, and availability of data,
- Timely restoration of data in the event of an incident, and
- Regular security testing of security controls.
Based on those bullets, you can hopefully see why vulnerability scanning and security assessments aren’t sufficient for GDPR compliance efforts and don’t really ensure data security on their own.
Vulnerability scanning does a great job of identifying vulnerabilities. Most vulnerability scanners can tell you:
- What security vulnerabilities exist
- Whether or not internal communication connections are encrypted
They can’t readily validate other technical measures and identify potential risks outside their scope. For example, they typically can’t validate data encryption in motion or at rest, not to mention traversal outside the organization. Additionally, they provide zero insight into restoration or whether or not confidentiality, integrity, or availability is assured.
A security assessment similarly doesn’t work on its own to satisfy the GDPR’s requirements. Those typically evaluate the existence of administrative controls and whether or not they suffice to document data security controls around sensitive data.
Combining those two assessments also won’t give you the full picture of compliance or non-compliance with GDPR regulations. Supplementing those with penetration testing, however, will give your Data Protection Officer the full view of whether or not you meet GDPR’s data protection requirements.
That’s because penetration testing provides a platform for assessing and evaluating the effectiveness of technical measures to protect personal data–even if the components that make up those technical measures don’t have vulnerabilities or administrative gaps.
Penetration testing is ethical hacking. That hacking can be automated, using a machine learning engine to exploit known attack paths, or performed manually by a person who stands in for cyber criminals and attacks your infrastructure. Those tests can do things like:
- Evaluate your cloud security, especially where vulnerability scanning won’t,
- Pressure-test your web applications to see whether or not your own data or consumer personal data can be compromised,
- Peruse your organizational unstructured data storage–think Word documents and Excel spreadsheets that your employees create–to see whether or not they can access that information, and
- Try to access SaaS platforms or other such applications that are a key part of your ongoing business operations.
In light of those many benefits, penetration testing is critical to meet the GDPR’s Seventh Principle around data Accountability. While not expressly required, I struggle to see how you can demonstrate accountability without including penetration testing for assessing and evaluating your environment.
The consequences are significant. If you can’t demonstrate those controls, you may be found to be engaging in unauthorized or unlawful processing of personal data. Demonstrating that unauthorized or unlawful processing of personal data can result in audits, operational limitations, and steep fines.
Is Vulnerability Assessment Enough?
As highlighted in the last section, I don’t think so. Vulnerability assessments have their place and are integral components of a cybersecurity program–even more so for protecting personal data under GDPR. However, that’s only one part of security testing. Vulnerabilities can bring down an organization, but they’re not the only identified risks that will help improve security.
In my opinion, you must combine vulnerability scanning with other means for testing, assessing, and evaluating your security posture over personal data. Many organisations stop short of penetration testing and I think that’s a mistake. Identifying vulnerabilities, performing security testing and other assessments is great. Without penetration testing however, you have no way to identify potential risks or validate controls for accidental loss of data and/or a personal data breach.
CISO’s Recommendation on Pentesting for GDPR
Here are some more of my thoughts about GDPR pen testing. Your mileage may vary.
You should regularly penetration test your environment. I’d say to perform one annually. If you don’t have a process for regularly testing, assessing, and evaluating your security posture now, or you’ve just developed that process, chances are you’re going to have many security deficiencies you need to address. You should think about addressing those before you perform another penetration test.
That being said, you can perform pen testing more than annually and there are some situations where that may make sense. For example, if you have a well-established process for regularly testing, assessing, and evaluating your security posture or environment. You may also have applications that fall into special categories, like being mission-critical. If that happens, then your business may be significantly hindered by malicious activity or accidental loss of that system.
You’ll also want to align security testing during relative operational lulls. You can run them simultaneously with other events and audits, but it’s going to make you very unpopular.
I think a few different kinds of systems should be in scope and I’ve identified a couple above. You might want to consider regularly penetration testing:
- New and heavily modified systems in the form of an end-of-state check to see how the addition or change will impact your security posture,
- Mission-critical systems, without which your organization won’t function, and
- Systems that contain personal data–anything that the GDPR relates to or covers.
Other systems that are less critical, have more minor changes that don’t need an end-of-state check, or which may not have sensitive data I’d consider to be more “optional.” I put that in quotes because anything on your corporate network can be a stepping-off point for an attack, but that can be mitigated with other controls (and reasonable steps for validating those controls include a penetration test).
How Much is Penetration Testing for GDPR?
A “GDPR Penetration Test” will probably be more expensive by virtue of the fact that it’s connected to regulatory compliance and therefore seen as a specialty. To be honest, while GDPR affects security approaches and controls, any penetration testing will suffice.
Small to mid-sized businesses will pay thousands or tens of thousands for a penetration test depending on the scope of the test and the breadth of their infrastructure. Large businesses can pay hundreds of thousands or millions of dollars based on the same considerations. In short: the larger the scope, the more expensive the penetration test.
For a detailed breakdown on penetration testing costs, see this article.
Are there Vendors for GDPR Pentesting Specifically?
There are some vendors who may be more experienced in GDPR compliance and are able to provide compliance recommendations with GDPR. That being said, most penetration testing vendors have some exposure to and experience with GDPR compliance, so I don’t think you need to pick them based on the quality of their GDPR experience.
Instead, evaluate the vendor’s overall performance, whether or not they’re employing automated testing, and what their overall annual test plan looks like. You may also be concerned with external, internal, and application pen testing. You’ll want to pick a vendor who specializes in one or more of those.
If you’re a firm that needs to maintain GDPR compliance, you have a duty to be accountable for your information security posture. While there aren’t specifics about how to attain that posture, there are some stringent requirements that effectively dictate the intensity of that posture and the measures you need to evaluate them.
Arguably, while penetration testing isn’t specifically required, it is de facto required. It’s really not possible to demonstrate the appropriateness of controls without actively testing those controls. Penetration testing does exactly that.
You may be tempted to find GDPR-specific penetration testing services. You don’t have to. Most vendors will be able to perform penetration tests that meet your needs.