The time of GDPR is upon us, and unless you live under a rock you’ve already received a handful of emails about privacy policy changes.  Our goal here is to help you understand what it is, and more specifically, how GDPR relates to security and penetration testing. Do not worry, we won’t bore you with any more privacy policy changes.

The General Data Protection Regulation (GDPR) is focused on the personal data of citizens within the European Union. GDPR is often viewed as having two primary goals within the EU and beyond;

• To define the online rights of EU citizens.
• To regulate the handling of EU citizen’s personal data.

A key goal of GDPR is to provide EU citizens with more control over their own data.  You’ve probably noticed the ads of products online after searching for that same product just a day prior. It’s no coincidence, but instead because of data collected the day prior. GDPR sets out to make this optional & completely up to the individual. Under GDPR, individuals have a handful of rights:

1. To be informed: Before data is collected on individuals, the individual must knowingly give consent.
2. Access: If requested, companies must provide individuals access to what data has been collected about them and how that data is being used.
3. Rectification: If data is old or incorrect, individuals have the right to have the data corrected.
4. Erasure: If an individual is no longer a customer, or has withdrawn approval of data collection, then an individual has the right to have data fully deleted.
5. To Restrict Processing: An individual has the right to request their data not be used for any processing, but the data does not have to be deleted.
6. Data Portability: An individual has the right to have data moved from one company to another.
7. To Object: Individuals have the right to immediately stop their data from being used in direct marketing.
8. Rights related to automated decision making including profiling: Individuals have the right to know if automated decision making is being used in a way that can impact them.

In addition to individual rights, GDPR also aims to regulate how personal data such as name, email, address, ect is handled. Companies must be transparent in what information is collected and how it will be used. As you may have noticed by the multiple privacy policy updates you’ve received; Companies are not only explaining how data is captured, stored, and used, but also secured. While GDPR is primarily viewed as a privacy standard, there are also underlying roots in security.

It may initially seem as if GDPR solely applies to EU companies, but any company handling the data of EU citizens must be in compliance.  In addition to this, there is reason to believe that companies may choose to treat all consumers under GDPR guidelines. The reason for this is that it may logistically make sense to handle all customers with this new standard instead of handling customer data in the EU  different from consumers in the rest of the world.

There are some underlying affects to security professionals. A key development in GDPR is the requirements around breach announcements. If you examine large breaches such as Equifax, companies tend to know far before the effected consumers find out. With GDPR, the new standard is 72 hours from the discovery of a breach. Security professionals will have more cause to stay on top of analysis & internal communication of security concerns.

In addition to this, GDPR stresses the importance of what is referred to as “privacy-by-design.” As SaaS platforms & web applications are developed, security and privacy must be front of mind. If your development teams overlooks security in exchange for sooner release dates, you can quickly find yourself in trouble. As part of this, on-going penetration testing & security assessments of such applications will be key in ensuring privacy-by-design.

At first glance GDPR may seem as if it doesn’t have much to do with penetration testing. With some fine reading, you can find a direct correlation under Article 32;

“(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. 

This is vague as it doesn’t specifically define what must be tested on a regular basis. A strong rule of thumb is that any systems or applications that touch personal data. If Article 32 isn’t enough of a reason to understand why penetration testing is an important security factor of GDPR, the mandatory breach disclosure should be enough of an incentive. The days of delaying breach disclosures are over as you must now announce an incident within 72 hours of the discovery. Penetration tests can discover vulnerabilities or potential breaches before anyone else, ultimately saving you the pain of breach disclosure.

GDPR will create the perfect reason to have regular penetration tests, but when it comes down to it penetration tests are helpful to any team. Most security professionals can relate to the full plate that others in the industry have. Beyond just identifying vulnerabilities prior to real-world exploitation, penetration tests help teams prioritize security fixes based on the severity and impact of different findings.

Aside from any specific requirements, GDPR has harsh penalties for a security breach, with organizations facing penalties of up to 20 million euros, or 4 percent of worldwide annual turnover, whichever is higher.  With financial impacts so hefty, thorough proactive controls are critical.

While GDPR has caused panic among IT environments worldwide, the complications around data security in cloud environments is even more complex.  AWS for example, has GDPR compliance supported through many of its services, but doesn’t reduce the financial penalties in the event of a databreach (regardless of who’s at fault or how it happened).

This greater impact raises the risk and concern around AWS penetration testing and the proper configuration and handling of environments.  For more information on this, review AWS Penetration Testing.

GDPR has been a buzzword for the last year plus, and for good reason. While it can create headaches and difficulties for some organizations, it also creates a large opportunity for companies who value privacy and security. It allows you to demonstrate credibility & build trust with consumers. For the companies who haven’t taken security as serious in the past, it provides the very tangible reason to become serious today.

If you would like to discuss penetration tests focused on GDPR, feel free to contact a security expert.