General Data Protection Regulation

Any organisation processing European citizens' data would need to comply with the General Data Protection Regulation (GDPR).

Article 3 of the regulation defines the territorial scope as;

  1. This Regulation applies to the processing of personal data in the context of establishing a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

  2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

    • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

    • the monitoring of their behavior as far as their behavior takes place within the Union.
  3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

"In July 2019, the ICO announced its intention to issue a
€204,6 million (£183.39 million) fine to the British Airways for violation of Article 31 of the GDPR.

Information Commissioner's Office

The General Data Protection Regulation sets out seven key principles;

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security
  7. Accountability

These principles should form the core of your data processing policies and approach to handling personal data.

The GDPR defines a mandatory breach disclosure time constraint; a breach must be reported within 72 hours of its discovery. Along with potentially hefty fines of up to 4% of your global turnover for anyone that has not shown due care to their customer's data.

Initially, the GDPR is seemingly void of any mention of penetration testing. However, it does have a statement under Article 32;

"(d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing."

Laneden can help build a program of works to help your organisation achieve regular security testing, understand your technical controls' effectiveness, and help ensure security risks are defined, and mitigation understood.

Providing a thorough and independent examination to identify security vulnerabilities within the software, systems, and network configurations.

Laneden can provide an on-site debriefing of the findings explaining how attackers could potentially gain control of your systems and exfiltrate data.

A comprehensive report is written containing an executive summary and is consumable by anyone in the organisation regardless of their technical background.

Along with enough detail to allow you to understand the risks and concise and clear guidance on how to either mitigate or remediate those risks.

"People's personal data is just that - personal.

When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.

That's why the law is clear - when you are entrusted with personal data you must look after it.

Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.

ICO|Elizabeth Denham