Do You Need Penetration Test for the GDPR?

Do you need penetration test to comply with GDPR? The GDPR requires that you assess applications and criticalinfrastructurefor security vulnerabilities and that the effectiveness of your security controls are tested regularly.  Services such as penetration testing and regular vulnerability assessments will help meet this requirement.

The GDPR brings a number of changes including breach reports being legally required within 72 hours. This being the case, can you really afford not to have a penetration test performed on systems which hold personal data?

Here are some of the other key points that you should be aware of in relation to GDPR:-

Data Breach Notifications

Controllers shall notify the supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours, unless the breach is likely to result in a risk to the rights and freedoms of individuals.

When the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller shall communicate the personal data breach to the data subject without undue delay.

Data Protection Officers

Controllers and processors shall designate a data protection officer where their core activities consist of the regular and systematic monitoring of personal data or the processing of special categories of personal data on a large scale.

The DPO shall act independently of the controller or processor, reporting directly to the highest management level.

One-Stop Shop

Data controllers are regulated by a lead authority located in the territory of their main establishment, although local authorities may deal with local cases.

If a concerned supervisory authority objects to a lead authority’s draft decision, the case shall be referred to the consistency mechanism for a binding decision by the European Data Protection Board.

Any EDPB binding decision can be appealed to the Court of Justice of the European Union.

Right to Erasure

Data subjects have the right to request the controller to erase his or her personal data without undue delay where: the data is no longer necessary for the purposes collected; the data subject withdraws consent; or the data subject objects to data processing. This is often referred to as “Right to be Forgotten”.

Where the controller has made the data public, the controller shall take reasonable steps to inform the data processor of the erasure request.

Right to Object

Data subjects have the right to object to processing unless the controller demonstrates compelling legitimate grounds for processing. Where personal data is processed for direct-marketing purposes, data subjects have the right to object at any time to the processing. Data subjects have the right not to be subject to a decision based solely on automated processing,  including profiling, unless the data subject has given explicit consent, or where the processing is authorised by contract or in law.


This is one of the most significant areas of change. The data subject’s consent means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes. Where consent is relied upon for the processing of special categories of personal data, explicit consent is required. Parental consent is required for the processing of personal data of children under the age of 16, unless member state law provides for a lower age not under 13.

Administrative Fines

Non-compliance by controller and the processor may be subject to administrative fines of up to €10 million, or 2% of worldwide annual turnover whichever is higher. Non-compliance with the basic principles for processing, data subject rights, transfers of personal data, or noncompliance with an order by the supervisory authority may be subject to administrative fines of up to €20 million, or 4% of worldwide annual turnover,  whichever is higher.