General Data Protection Regulation
Any organisation processing European citizens' data would need to comply with the General Data Protection Regulation (GDPR).
Article 3 of the regulation defines the territorial scope as;
€204,6 million (£183.39 million) fine to the British Airways for violation of Article 31 of the GDPR."
Information Commissioner's Office, https://ico.org.uk
The General Data Protection Regulation sets out seven key principles;
These principles should form the core of your data processing policies and approach to handling personal data.
The GDPR defines a mandatory breach disclosure time constraint; a breach must be reported within 72 hours of its discovery. Along with potentially hefty fines of up to 4% of your global turnover for anyone that has not shown due care to their customer's data.
Initially, the GDPR is seemingly void of any mention of penetration testing. However, it does have a statement under Article 32;
"(d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing."
Laneden can help build a program of works to help your organisation achieve regular security testing, understand your technical controls' effectiveness, and help ensure security risks are defined, and mitigation understood.
Providing a thorough and independent examination to identify security vulnerabilities within the software, systems, and network configurations.
Laneden can provide an on-site debriefing of the findings explaining how attackers could potentially gain control of your systems and exfiltrate data.
A comprehensive report is written containing an executive summary and is consumable by anyone in the organisation regardless of their technical background.
Along with enough detail to allow you to understand the risks and concise and clear guidance on how to either mitigate or remediate those risks.
When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
That's why the law is clear - when you are entrusted with personal data you must look after it.
Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights. "
ICO|Elizabeth Denham, https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-announces-intention-to-fine-british-airways/